[glib-networking/wip/tingping/pkcs11: 1/3] WIP: Re-add pkcs11 support
- From: Patrick Griffis <pgriffis src gnome org>
- To: commits-list gnome org
- Cc: 
- Subject: [glib-networking/wip/tingping/pkcs11: 1/3] WIP: Re-add pkcs11 support
- Date: Mon, 29 Jul 2019 19:51:11 +0000 (UTC)
commit d3ba6eba23aa0b2178811ffe986ebf8b7de3bfc7
Author: Patrick Griffis <pgriffis igalia com>
Date:   Fri Apr 26 12:13:11 2019 -0700
    WIP: Re-add pkcs11 support
 meson.build                             |   12 +
 meson_options.txt                       |    1 +
 po/POTFILES.in                          |    2 +
 tls/gnutls/gtlsbackend-gnutls.c         |   36 +
 tls/gnutls/gtlscertificate-gnutls.c     |  107 ++-
 tls/gnutls/gtlscertificate-gnutls.h     |   12 +
 tls/gnutls/gtlsconnection-gnutls.c      |   76 ++
 tls/gnutls/gtlsdatabase-gnutls-pkcs11.c | 1139 +++++++++++++++++++++++
 tls/gnutls/gtlsdatabase-gnutls-pkcs11.h |   44 +
 tls/gnutls/meson.build                  |   10 +
 tls/pkcs11/gpkcs11array.c               |  282 ++++++
 tls/pkcs11/gpkcs11array.h               |  107 +++
 tls/pkcs11/gpkcs11pin.c                 |  159 ++++
 tls/pkcs11/gpkcs11pin.h                 |   46 +
 tls/pkcs11/gpkcs11slot.c                |  618 ++++++++++++
 tls/pkcs11/gpkcs11slot.h                |   73 ++
 tls/pkcs11/gpkcs11util.c                |   63 ++
 tls/pkcs11/gpkcs11util.h                |   51 +
 tls/pkcs11/meson.build                  |   28 +
 tls/pkcs11/pkcs11-trust-assertions.h    |   59 ++
 tls/tests/meson.build                   |   14 +
 tls/tests/mock-pkcs11.c                 | 1547 +++++++++++++++++++++++++++++++
 tls/tests/mock-pkcs11.h                 |  396 ++++++++
 tls/tests/pkcs11-array.c                |  288 ++++++
 tls/tests/pkcs11-pin.c                  |  152 +++
 tls/tests/pkcs11-slot.c                 |  526 +++++++++++
 tls/tests/pkcs11-util.c                 |   63 ++
 27 files changed, 5910 insertions(+), 1 deletion(-)
---
diff --git a/meson.build b/meson.build
index 8d01f52..5c03f6e 100644
--- a/meson.build
+++ b/meson.build
@@ -75,6 +75,14 @@ gnutls_dep = dependency('gnutls', version: '>= 3.4.6', required: get_option('gnu
 
 if gnutls_dep.found()
   backends += ['gnutls']
+
+  # *** Checks for p11-kit  ***
+  pkcs11_dep = dependency('p11-kit-1', version: '>= 0.20', required: get_option('pkcs11'))
+
+  if pkcs11_dep.found()
+    config_h.set('HAVE_PKCS11', 1,
+                 description: 'Building with PKCS#11 support')
+  endif
 endif
 
 # *** Checks for OpenSSL    ***
@@ -172,6 +180,9 @@ if libproxy_dep.found() or gsettings_desktop_schemas_dep.found()
 endif
 
 subdir('tls/base')
+if pkcs11_dep.found()
+  subdir('tls/pkcs11')
+endif
 
 if gnutls_dep.found()
   subdir('tls/gnutls')
@@ -194,4 +205,5 @@ output += '  gnutls support:      ' + backends.contains('gnutls').to_string() +
 output += '  openssl support:     ' + backends.contains('openssl').to_string() + '\n'
 output += '  libproxy support:    ' + libproxy_dep.found().to_string() + '\n'
 output += '  GNOME proxy support: ' + gsettings_desktop_schemas_dep.found().to_string() + '\n'
+output += '  PKCS#11 support:     ' + pkcs11_dep.found().to_string() + '\n'
 message(output)
diff --git a/meson_options.txt b/meson_options.txt
index 3a525dd..04706be 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -2,5 +2,6 @@ option('gnutls', type: 'feature', value: 'auto', description: 'support for GnuTL
 option('openssl', type: 'feature', value: 'disabled', description: 'support for OpenSSL networking 
configration')
 option('libproxy', type: 'feature', value: 'auto', description: 'support for libproxy proxy configration')
 option('gnome_proxy', type: 'feature', value: 'auto', description: 'support for GNOME desktop proxy 
configuration')
+option('pkcs11', type: 'feature', value: 'disabled', description: 'support for PKCS#11 using p11-kit')
 option('installed_tests', type: 'boolean', value: false, description: 'enable installed tests')
 option('static_modules', type: 'boolean', value: false, description: 'build static modules')
diff --git a/po/POTFILES.in b/po/POTFILES.in
index dffd37e..0308cc4 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -13,3 +13,5 @@ tls/openssl/gtlscertificate-openssl.c
 tls/openssl/gtlsclientconnection-openssl.c
 tls/openssl/gtlsconnection-openssl.c
 tls/openssl/gtlsserverconnection-openssl.c
+tls/pkcs11/gpkcs11pin.c
+tls/pkcs11/gpkcs11slot.c
diff --git a/tls/gnutls/gtlsbackend-gnutls.c b/tls/gnutls/gtlsbackend-gnutls.c
index c955327..23278cd 100644
--- a/tls/gnutls/gtlsbackend-gnutls.c
+++ b/tls/gnutls/gtlsbackend-gnutls.c
@@ -35,6 +35,7 @@
 #include "gtlsclientconnection-gnutls.h"
 #include "gtlsfiledatabase-gnutls.h"
 #include "gtlsserverconnection-gnutls.h"
+#include "gtlsdatabase-gnutls-pkcs11.h"
 
 struct _GTlsBackendGnutls
 {
@@ -42,6 +43,7 @@ struct _GTlsBackendGnutls
 
   GMutex mutex;
   GTlsDatabase *default_database;
+  GTlsDatabase *pkcs11_database;
 };
 
 static void g_tls_backend_gnutls_interface_init (GTlsBackendInterface *iface);
@@ -153,6 +155,39 @@ g_tls_backend_gnutls_get_default_database (GTlsBackend *backend)
   return result;
 }
 
+static GTlsDatabase*
+g_tls_backend_gnutls_get_pkcs11_database (GTlsBackend *backend)
+{
+  GTlsBackendGnutls *self = G_TLS_BACKEND_GNUTLS (backend);
+  GTlsDatabase *result;
+  GError *error = NULL;
+
+  g_mutex_lock (&self->mutex);
+
+  if (self->pkcs11_database)
+    {
+      result = g_object_ref (self->pkcs11_database);
+    }
+  else
+    {
+      result = G_TLS_DATABASE (g_tls_database_gnutls_pkcs11_new (&error));
+      if (error)
+        {
+          g_warning ("Failed to load PKCS11 TLS database: %s", error->message);
+          g_clear_error (&error);
+        }
+      else
+        {
+          g_assert (result);
+          self->pkcs11_database = g_object_ref (result);
+        }
+    }
+
+  g_mutex_unlock (&self->mutex);
+
+  return result;
+}
+
 static void
 g_tls_backend_gnutls_interface_init (GTlsBackendInterface *iface)
 {
@@ -161,6 +196,7 @@ g_tls_backend_gnutls_interface_init (GTlsBackendInterface *iface)
   iface->get_server_connection_type = g_tls_server_connection_gnutls_get_type;
   iface->get_file_database_type =     g_tls_file_database_gnutls_get_type;
   iface->get_default_database =       g_tls_backend_gnutls_get_default_database;
+  iface->get_pkcs11_database =        g_tls_backend_gnutls_get_pkcs11_database;
   iface->get_dtls_client_connection_type = g_tls_client_connection_gnutls_get_type;
   iface->get_dtls_server_connection_type = g_tls_server_connection_gnutls_get_type;
 }
diff --git a/tls/gnutls/gtlscertificate-gnutls.c b/tls/gnutls/gtlscertificate-gnutls.c
index ff18c46..8023e91 100644
--- a/tls/gnutls/gtlscertificate-gnutls.c
+++ b/tls/gnutls/gtlscertificate-gnutls.c
@@ -39,7 +39,9 @@ enum
   PROP_CERTIFICATE_PEM,
   PROP_PRIVATE_KEY,
   PROP_PRIVATE_KEY_PEM,
-  PROP_ISSUER
+  PROP_ISSUER,
+  PROP_CERTIFICATE_URI,
+  PROP_PRIVATE_KEY_URI,
 };
 
 struct _GTlsCertificateGnutls
@@ -53,6 +55,9 @@ struct _GTlsCertificateGnutls
 
   GError *construct_error;
 
+  gchar *certificate_uri;
+  gchar *private_key_uri;
+
   guint have_cert : 1;
   guint have_key  : 1;
 };
@@ -141,6 +146,14 @@ g_tls_certificate_gnutls_get_property (GObject    *object,
       g_value_set_object (value, gnutls->issuer);
       break;
 
+    case PROP_CERTIFICATE_URI:
+      g_value_set_string (value, gnutls->certificate_uri);
+      break;
+
+    case PROP_PRIVATE_KEY_URI:
+      g_value_set_string (value, gnutls->private_key_uri);
+      break;
+
     default:
       G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
     }
@@ -267,6 +280,16 @@ g_tls_certificate_gnutls_set_property (GObject      *object,
       gnutls->issuer = g_value_dup_object (value);
       break;
 
+    case PROP_CERTIFICATE_URI:
+      g_free (gnutls->certificate_uri);
+      gnutls->certificate_uri = g_value_dup_string (value);
+      break;
+
+    case PROP_PRIVATE_KEY_URI:
+      g_free (gnutls->private_key_uri);
+      gnutls->private_key_uri = g_value_dup_string (value);
+      break;
+
     default:
       G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
     }
@@ -376,6 +399,17 @@ g_tls_certificate_gnutls_class_init (GTlsCertificateGnutlsClass *klass)
   g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key");
   g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem");
   g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer");
+
+  g_object_class_install_property (gobject_class, PROP_CERTIFICATE_URI,
+                  g_param_spec_string ("certificate-uri", "Certificate URI",
+                                       "PKCS#11 URI of Certificate", NULL,
+                                       G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
+
+  g_object_class_install_property (gobject_class, PROP_PRIVATE_KEY_URI,
+                  g_param_spec_string ("private-key-uri", "Private Key URI",
+                                       "PKCS#11 URI of Private Key", NULL,
+                                       G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
+
 }
 
 static void
@@ -398,6 +432,33 @@ g_tls_certificate_gnutls_new (const gnutls_datum_t *datum,
   return G_TLS_CERTIFICATE (gnutls);
 }
 
+GTlsCertificate *
+g_tls_certificate_gnutls_pkcs11_new (gpointer certificate_data,
+                                     gsize certificate_data_length,
+                                     const gchar *certificate_uri,
+                                     const gchar *private_key_uri,
+                                     GTlsCertificate    *issuer)
+{
+  GTlsCertificate *certificate;
+  gnutls_datum_t datum;
+
+  g_return_val_if_fail (certificate_data, NULL);
+  g_return_val_if_fail (certificate_uri, NULL);
+
+  datum.data = certificate_data;
+  datum.size = certificate_data_length;
+
+  certificate = g_object_new (G_TYPE_TLS_CERTIFICATE_GNUTLS,
+                              "issuer", issuer,
+                              "certificate-uri", certificate_uri,
+                              "private-key-uri", private_key_uri,
+                              NULL);
+
+  g_tls_certificate_gnutls_set_data (G_TLS_CERTIFICATE_GNUTLS (certificate), &datum);
+
+  return certificate;
+}
+
 void
 g_tls_certificate_gnutls_set_data (GTlsCertificateGnutls *gnutls,
                                    const gnutls_datum_t  *datum)
@@ -489,6 +550,26 @@ g_tls_certificate_gnutls_copy  (GTlsCertificateGnutls  *gnutls,
       {
         *pkey = NULL;
       }
+
+  // if (*pkey == NULL)
+  //   {
+  //     gchar *uri = g_tls_certificate_gnutls_pkcs11_build_private_key_uri (chain, interaction_id);
+  //     g_message("%s", uri);
+  //     if (uri != NULL)
+  //       {
+  //         gnutls_pkcs11_privkey_t pkcs11_privkey;
+  //         gnutls_privkey_t privkey;
+
+  //         gnutls_pkcs11_privkey_init (&pkcs11_privkey);
+  //         gnutls_pkcs11_privkey_import_url (pkcs11_privkey, uri, GNUTLS_PKCS11_URL_GENERIC);
+  //         g_free (uri);
+
+  //         gnutls_privkey_init (&privkey);
+  //         gnutls_privkey_import_pkcs11 (privkey, pkcs11_privkey, GNUTLS_PRIVKEY_IMPORT_COPY);
+  //         *pkey = privkey;
+  //         gnutls_pkcs11_privkey_deinit (pkcs11_privkey);
+  //       }
+  //   }
 }
 
 void
@@ -761,3 +842,27 @@ g_tls_certificate_gnutls_build_chain (const gnutls_datum_t  *certs,
 
   return result;
 }
+
+gchar *
+g_tls_certificate_gnutls_pkcs11_build_certificate_uri (GTlsCertificateGnutls *self,
+                                                       const gchar *interaction_id)
+{
+  if (self->certificate_uri == NULL)
+    return NULL;
+  else if (interaction_id)
+    return g_strdup_printf ("%s;pinfile=%s", self->certificate_uri, interaction_id);
+  else
+    return g_strdup (self->certificate_uri);
+}
+
+gchar *
+g_tls_certificate_gnutls_pkcs11_build_private_key_uri (GTlsCertificateGnutls *self,
+                                                       const gchar *interaction_id)
+{
+  if (self->private_key_uri == NULL)
+    return NULL;
+  else if (interaction_id)
+    return g_strdup_printf ("%s;pinfile=%s", self->private_key_uri, interaction_id);
+  else
+    return g_strdup (self->private_key_uri);
+}
\ No newline at end of file
diff --git a/tls/gnutls/gtlscertificate-gnutls.h b/tls/gnutls/gtlscertificate-gnutls.h
index c5aff43..3c7a4e9 100644
--- a/tls/gnutls/gtlscertificate-gnutls.h
+++ b/tls/gnutls/gtlscertificate-gnutls.h
@@ -70,6 +70,18 @@ GTlsCertificateGnutls*       g_tls_certificate_gnutls_build_chain     (const gnu
                                                                        guint                  num_certs,
                                                                        gnutls_x509_crt_fmt_t  format);
 
+GTlsCertificate *  g_tls_certificate_gnutls_pkcs11_new                   (gpointer        certificate_der,
+                                                                          gsize           
certificate_der_length,
+                                                                          const gchar     *certificate_uri,
+                                                                          const gchar     *private_key_uri,
+                                                                          GTlsCertificate *issuer);
+
+gchar *            g_tls_certificate_gnutls_pkcs11_build_certificate_uri (GTlsCertificateGnutls *self,
+                                                                          const gchar *interaction_id);
+
+gchar *            g_tls_certificate_gnutls_pkcs11_build_private_key_uri (GTlsCertificateGnutls *self,
+                                                                          const gchar *interaction_id);
+
 G_END_DECLS
 
 #endif /* __G_TLS_CERTIFICATE_GNUTLS_H___ */
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
index 774d668..4eb1e36 100644
--- a/tls/gnutls/gtlsconnection-gnutls.c
+++ b/tls/gnutls/gtlsconnection-gnutls.c
@@ -40,6 +40,11 @@
 #include "gtlsoutputstream-gnutls.h"
 #include "gtlsserverconnection-gnutls.h"
 
+#ifdef HAVE_PKCS11
+#include <p11-kit/pin.h>
+#include "pkcs11/gpkcs11pin.h"
+#endif
+
 #ifdef G_OS_WIN32
 #include <winsock2.h>
 #include <winerror.h>
@@ -103,6 +108,14 @@ static gboolean g_tls_connection_gnutls_initable_init       (GInitable       *in
 static void     g_tls_connection_gnutls_dtls_connection_iface_init (GDtlsConnectionInterface *iface);
 static void     g_tls_connection_gnutls_datagram_based_iface_init  (GDatagramBasedInterface  *iface);
 
+#ifdef HAVE_PKCS11
+static P11KitPin*    on_pin_prompt_callback  (const char     *pinfile,
+                                              P11KitUri      *pin_uri,
+                                              const char     *pin_description,
+                                              P11KitPinFlags  pin_flags,
+                                              void           *callback_data);
+#endif
+
 static void g_tls_connection_gnutls_init_priorities (void);
 
 static int verify_certificate_cb (gnutls_session_t session);
@@ -269,6 +282,11 @@ g_tls_connection_gnutls_init (GTlsConnectionGnutls *gnutls)
   unique_id = g_atomic_int_add (&unique_interaction_id, 1);
   priv->interaction_id = g_strdup_printf ("gtls:%d", unique_id);
 
+#ifdef HAVE_PKCS11
+  p11_kit_pin_register_callback (priv->interaction_id,
+                                 on_pin_prompt_callback, gnutls, NULL);
+#endif
+
   priv->waiting_for_op = g_cancellable_new ();
   g_cancellable_cancel (priv->waiting_for_op);
   g_mutex_init (&priv->op_mutex);
@@ -462,6 +480,10 @@ g_tls_connection_gnutls_finalize (GObject *object)
 
   g_clear_pointer (&priv->app_data_buf, g_byte_array_unref);
 
+#ifdef HAVE_PKCS11
+  p11_kit_pin_unregister_callback (priv->interaction_id,
+                                   on_pin_prompt_callback, gnutls);
+#endif
   g_free (priv->interaction_id);
   g_clear_object (&priv->interaction);
 
@@ -3117,6 +3139,60 @@ g_tls_connection_gnutls_dtls_get_negotiated_protocol (GDtlsConnection *conn)
 }
 #endif
 
+#ifdef HAVE_PKCS11
+
+static P11KitPin*
+on_pin_prompt_callback (const char     *pinfile,
+                        P11KitUri      *pin_uri,
+                        const char     *pin_description,
+                        P11KitPinFlags  pin_flags,
+                        void           *callback_data)
+{
+  GTlsConnectionGnutls *gnutls = G_TLS_CONNECTION_GNUTLS (callback_data);
+  GTlsConnectionGnutlsPrivate *priv = g_tls_connection_gnutls_get_instance_private (gnutls);
+  GTlsInteractionResult result;
+  GTlsPasswordFlags flags = 0;
+  GTlsPassword *password;
+  P11KitPin *pin = NULL;
+  GError *error = NULL;
+
+  if (!priv->interaction)
+    return NULL;
+
+  if (pin_flags & P11_KIT_PIN_FLAGS_RETRY)
+    flags |= G_TLS_PASSWORD_RETRY;
+  if (pin_flags & P11_KIT_PIN_FLAGS_MANY_TRIES)
+    flags |= G_TLS_PASSWORD_MANY_TRIES;
+  if (pin_flags & P11_KIT_PIN_FLAGS_FINAL_TRY)
+    flags |= G_TLS_PASSWORD_FINAL_TRY;
+
+  password = g_pkcs11_pin_new (flags, pin_description);
+
+  result = g_tls_interaction_ask_password (priv->interaction, password,
+                                           g_cancellable_get_current (), &error);
+
+  switch (result)
+    {
+    case G_TLS_INTERACTION_FAILED:
+      if (!g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
+        g_warning ("couldn't ask for password: %s", error->message);
+      pin = NULL;
+      break;
+    case G_TLS_INTERACTION_UNHANDLED:
+    default:
+      pin = NULL;
+      break;
+    case G_TLS_INTERACTION_HANDLED:
+      pin = g_pkcs11_pin_steal_internal (G_PKCS11_PIN (password));
+      break;
+    }
+
+  g_object_unref (password);
+  return pin;
+}
+
+#endif /* HAVE_PKCS11 */
+
 static void
 g_tls_connection_gnutls_class_init (GTlsConnectionGnutlsClass *klass)
 {
diff --git a/tls/gnutls/gtlsdatabase-gnutls-pkcs11.c b/tls/gnutls/gtlsdatabase-gnutls-pkcs11.c
new file mode 100644
index 0000000..6a647d3
--- /dev/null
+++ b/tls/gnutls/gtlsdatabase-gnutls-pkcs11.c
@@ -0,0 +1,1139 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright 2011 Collabora, Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include "config.h"
+
+#include "gtlsdatabase-gnutls-pkcs11.h"
+#include "gtlscertificate-gnutls.h"
+
+#include <gio/gio.h>
+#include <glib/gi18n-lib.h>
+#include <gnutls/x509.h>
+
+#include <p11-kit/p11-kit.h>
+#include <stdlib.h>
+
+#include "pkcs11/gpkcs11pin.h"
+#include "pkcs11/gpkcs11slot.h"
+#include "pkcs11/gpkcs11util.h"
+#include "pkcs11/pkcs11-trust-assertions.h"
+
+typedef enum {
+  G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE = 1,
+  G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE = 2,
+} GTlsDatabaseGnutlsAssertion;
+
+static const CK_ATTRIBUTE_TYPE CERTIFICATE_ATTRIBUTE_TYPES[] = {
+    CKA_ID, CKA_LABEL, CKA_CLASS, CKA_VALUE
+};
+
+static const CK_ATTRIBUTE_TYPE KEY_ATTRIBUTE_TYPES[] = {
+    CKA_ID, CKA_LABEL, CKA_CLASS, CKA_KEY_TYPE
+};
+
+static void g_tls_database_gnutls_pkcs11_initable_iface_init (GInitableIface *iface);
+
+struct _GTlsDatabaseGnutlsPkcs11
+{
+  GTlsDatabase parent_instance;
+
+  /* no changes after construction */
+  CK_FUNCTION_LIST **modules;
+  GList *pkcs11_slots;
+  GList *trust_uris;
+};
+
+G_DEFINE_TYPE_WITH_CODE (GTlsDatabaseGnutlsPkcs11, g_tls_database_gnutls_pkcs11,
+                         G_TYPE_TLS_DATABASE,
+                         G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
+                                                g_tls_database_gnutls_pkcs11_initable_iface_init));
+
+static gboolean
+discover_module_slots_and_options (GTlsDatabaseGnutlsPkcs11   *self,
+                                   CK_FUNCTION_LIST_PTR        module,
+                                   GError                    **error)
+{
+  CK_ULONG i, count = 0;
+  CK_SLOT_ID *list;
+  GPkcs11Slot *slot;
+  P11KitUri *uri;
+  char *string;
+  guint uri_type;
+  int ret;
+  CK_RV rv;
+
+  /*
+   * Ask module for the number of slots. We include slots without tokens
+   * since we want to be able to use them if the user inserts a token
+   * later.
+   */
+
+  rv = (module->C_GetSlotList) (CK_FALSE, NULL, &count);
+  if (rv != CKR_OK)
+    {
+      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                   "Couldn't load list of slots in PKCS#11 module: %s",
+                   p11_kit_strerror (rv));
+      return FALSE;
+    }
+
+  if (count == 0)
+    return TRUE;
+
+  /* Actually retrieve the slot ids */
+  list = g_new0 (CK_SLOT_ID, count);
+  rv = (module->C_GetSlotList) (CK_FALSE, list, &count);
+  if (rv != CKR_OK)
+    {
+      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                   "Couldn't load list of slots in PKCS#11 module: %s",
+                   p11_kit_strerror (rv));
+      g_free (list);
+      return FALSE;
+    }
+
+  for (i = 0; i < count; ++i)
+    {
+      slot = g_object_new (G_TYPE_PKCS11_SLOT,
+                           "slot-id", list[i],
+                           "module", module,
+                           NULL);
+      self->pkcs11_slots = g_list_append (self->pkcs11_slots, slot);
+    }
+
+  /*
+   * Load up relevant options. We use the x-trust-lookup option to determine
+   * which slots we can use for looking up trust assertionts.
+   */
+
+  string = p11_kit_config_option (module, "x-trust-lookup");
+  if (string != NULL)
+    {
+      uri = p11_kit_uri_new ();
+      uri_type = P11_KIT_URI_FOR_TOKEN | P11_KIT_URI_FOR_MODULE_WITH_VERSION;
+      ret = p11_kit_uri_parse (string, uri_type, uri);
+
+      if (ret < 0)
+        {
+          g_message ("couldn't parse configured uri for trust lookups: %s: %s",
+                     string, p11_kit_uri_message (ret));
+          p11_kit_uri_free (uri);
+        }
+      else
+        {
+          self->trust_uris = g_list_append (self->trust_uris, uri);
+        }
+
+      free (string);
+    }
+
+  return TRUE;
+}
+
+static GTlsCertificate *
+create_database_pkcs11_certificate (GPkcs11Slot  *slot,
+                                    GPkcs11Array *certificate_attrs,
+                                    GPkcs11Array *private_key_attrs)
+{
+  GTlsCertificate *certificate;
+  gchar *certificate_uri = NULL;
+  gchar *private_key_uri = NULL;
+  const CK_ATTRIBUTE *value_attr;
+  P11KitUri *uri;
+  int ret;
+
+  value_attr = g_pkcs11_array_find (certificate_attrs, CKA_VALUE);
+  if (value_attr == NULL)
+    return NULL;
+
+  uri = p11_kit_uri_new ();
+
+  /*
+   * The PKCS#11 URIs we create for certificates and keys are not bound to
+   * the module. They are bound to the token.
+   *
+   * For example the user could have keys on a smart card token. He could insert
+   * this smart card into a different slot, or perhaps change the driver
+   * (through an OS upgrade). So the key and certificate should still be
+   * referenceable through the URI.
+   *
+   * We also set a 'pinfile' prompting id, so that users of p11-kit like
+   * gnutls can call our callback.
+   */
+
+  if (!g_pkcs11_slot_get_token_info (slot, p11_kit_uri_get_token_info (uri)))
+    g_return_val_if_reached (NULL);
+
+  ret = p11_kit_uri_set_attributes (uri, certificate_attrs->attrs,
+                                    certificate_attrs->count);
+  g_return_val_if_fail (ret == P11_KIT_URI_OK, NULL);
+
+  ret = p11_kit_uri_format (uri, P11_KIT_URI_FOR_OBJECT_ON_TOKEN, &certificate_uri);
+  g_return_val_if_fail (ret == P11_KIT_URI_OK, NULL);
+
+  if (private_key_attrs != NULL)
+    {
+
+      /* The URI will keep the token info above, so we just change attributes */
+
+      ret = p11_kit_uri_set_attributes (uri, private_key_attrs->attrs,
+                                        private_key_attrs->count);
+      g_return_val_if_fail (ret == P11_KIT_URI_OK, NULL);
+
+      ret = p11_kit_uri_format (uri, P11_KIT_URI_FOR_OBJECT_ON_TOKEN, &private_key_uri);
+      g_return_val_if_fail (ret == P11_KIT_URI_OK, NULL);
+    }
+
+  certificate = g_tls_certificate_gnutls_pkcs11_new (value_attr->pValue,
+                                                     value_attr->ulValueLen,
+                                                     certificate_uri,
+                                                     private_key_uri,
+                                                     NULL);
+
+  p11_kit_uri_free (uri);
+  g_free (certificate_uri);
+  g_free (private_key_uri);
+
+  return certificate;
+}
+
+static const gchar *
+calculate_peer_for_identity (GSocketConnectable *identity)
+{
+  const char *peer;
+
+  if (G_IS_NETWORK_ADDRESS (identity))
+    peer = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
+  else if (G_IS_NETWORK_SERVICE (identity))
+    peer = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
+  else
+    peer = NULL;
+
+  return peer;
+}
+
+static void
+g_tls_database_gnutls_pkcs11_finalize (GObject *object)
+{
+  GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (object);
+  GList *l;
+
+  for (l = self->pkcs11_slots; l; l = g_list_next (l))
+      g_object_unref (l->data);
+  g_list_free (self->pkcs11_slots);
+
+  for (l = self->trust_uris; l; l = g_list_next (l))
+    p11_kit_uri_free (l->data);
+  g_list_free (self->trust_uris);
+
+  if (self->modules)
+    p11_kit_modules_release (self->modules);
+
+  G_OBJECT_CLASS (g_tls_database_gnutls_pkcs11_parent_class)->finalize (object);
+}
+
+static void
+g_tls_database_gnutls_pkcs11_init (GTlsDatabaseGnutlsPkcs11 *self)
+{
+}
+
+static gboolean
+accumulate_stop (gpointer result,
+                 gpointer user_data)
+{
+  return FALSE; /* stop enumeration */
+}
+
+static gboolean
+accumulate_exists (gpointer result,
+                   gpointer user_data)
+{
+  gboolean *exists = (gboolean *)user_data;
+  *exists = TRUE;
+  return FALSE; /* stop enumeration */
+}
+
+static gboolean
+accumulate_first_attributes (gpointer result,
+                             gpointer user_data)
+{
+  GPkcs11Array **attributes = (GPkcs11Array **)user_data;
+  g_assert (attributes);
+  *attributes = g_pkcs11_array_ref (result);
+  return FALSE; /* stop enumeration */
+}
+
+static gboolean
+accumulate_list_attributes (gpointer result,
+                            gpointer user_data)
+{
+  GList **results = (GList **)user_data;
+  g_assert (results);
+  *results = g_list_append (*results, g_pkcs11_array_ref (result));
+  return TRUE; /* continue enumeration */
+}
+
+static gboolean
+accumulate_first_object (gpointer result,
+                         gpointer user_data)
+{
+  GObject **object = (GObject **)user_data;
+  g_assert (object);
+  *object = g_object_ref (result);
+  return FALSE; /* stop enumeration */
+}
+
+static gboolean
+accumulate_list_objects (gpointer result,
+                         gpointer user_data)
+{
+  GList **results = (GList **)user_data;
+  g_assert (results);
+  *results = g_list_append (*results, g_object_ref (result));
+  return TRUE; /* continue enumeration */
+}
+
+static GPkcs11EnumerateState
+enumerate_call_accumulator (GPkcs11Accumulator accumulator,
+                            gpointer           result,
+                            gpointer           user_data)
+{
+  g_assert (accumulator);
+
+  if (!(accumulator) (result, user_data))
+    return G_PKCS11_ENUMERATE_STOP;
+
+  return G_PKCS11_ENUMERATE_CONTINUE;
+}
+
+static GPkcs11EnumerateState
+enumerate_assertion_exists_in_slot (GPkcs11Slot         *slot,
+                                    GTlsInteraction     *interaction,
+                                    GPkcs11Array        *match,
+                                    GPkcs11Accumulator   accumulator,
+                                    gpointer             user_data,
+                                    GCancellable        *cancellable,
+                                    GError             **error)
+{
+  GPkcs11EnumerateState state;
+
+  state = g_pkcs11_slot_enumerate (slot, interaction, match->attrs, match->count,
+                                   FALSE, NULL, 0, accumulate_stop, NULL,
+                                   cancellable, error);
+
+  /* A stop means that something matched */
+  if (state == G_PKCS11_ENUMERATE_STOP)
+    return enumerate_call_accumulator (accumulator, NULL, user_data);
+
+  return state;
+}
+
+static GPkcs11EnumerateState
+enumerate_assertion_exists_in_database (GTlsDatabaseGnutlsPkcs11   *self,
+                                        GTlsInteraction            *interaction,
+                                        GPkcs11Array               *match,
+                                        GPkcs11Accumulator          accumulator,
+                                        gpointer                    user_data,
+                                        GCancellable               *cancellable,
+                                        GError                    **error)
+{
+  GPkcs11EnumerateState state = G_PKCS11_ENUMERATE_CONTINUE;
+  gboolean slot_matched;
+  GPkcs11Slot *slot;
+  GList *l, *t;
+
+  for (l = self->pkcs11_slots; l != NULL; l = g_list_next (l))
+    {
+      if (g_cancellable_set_error_if_cancelled (cancellable, error))
+        return G_PKCS11_ENUMERATE_FAILED;
+
+      slot = l->data;
+
+      /* We only search for assertions on slots that match the trust-lookup uris */
+      slot_matched = FALSE;
+      for (t = self->trust_uris; !slot_matched && t != NULL; t = g_list_next (t))
+          slot_matched = g_pkcs11_slot_matches_uri (slot, t->data);
+      if (!slot_matched)
+        continue;
+
+      state = enumerate_assertion_exists_in_slot (slot, interaction, match, accumulator,
+                                                  user_data, cancellable, error);
+      if (state != G_PKCS11_ENUMERATE_CONTINUE)
+        break;
+  }
+
+  return state;
+}
+
+static gboolean
+g_tls_database_gnutls_pkcs11_lookup_assertion (GTlsDatabaseGnutlsPkcs11     *self,
+                                               GTlsCertificateGnutls        *certificate,
+                                               GTlsDatabaseGnutlsAssertion   assertion,
+                                               const gchar                  *purpose,
+                                               GSocketConnectable           *identity,
+                                               GCancellable                 *cancellable,
+                                               GError                      **error)
+{
+  GByteArray *der = NULL;
+  gboolean found, ready;
+  GPkcs11Array *match;
+  const gchar *peer;
+
+  ready = FALSE;
+  found = FALSE;
+  match = g_pkcs11_array_new ();
+
+  if (assertion == G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE ||
+      assertion == G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE)
+    {
+      g_object_get (certificate, "certificate", &der, NULL);
+      g_return_val_if_fail (der, FALSE);
+      g_pkcs11_array_add_value (match, CKA_X_CERTIFICATE_VALUE, der->data, der->len);
+      g_byte_array_unref (der);
+
+      g_pkcs11_array_add_value (match, CKA_X_PURPOSE, purpose, -1);
+
+      if (assertion == G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE)
+        {
+          g_pkcs11_array_add_ulong (match, CKA_X_ASSERTION_TYPE, CKT_X_ANCHORED_CERTIFICATE);
+          ready = TRUE;
+        }
+      else if (assertion == G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE)
+        {
+          g_pkcs11_array_add_ulong (match, CKA_X_ASSERTION_TYPE, CKT_X_PINNED_CERTIFICATE);
+          peer = calculate_peer_for_identity (identity);
+          if (peer)
+            {
+              g_pkcs11_array_add_value (match, CKA_X_PEER, peer, -1);
+              ready = TRUE;
+            }
+        }
+    }
+
+  if (ready == TRUE)
+      enumerate_assertion_exists_in_database (self, NULL, match, accumulate_exists,
+                                              &found, cancellable, error);
+
+  g_pkcs11_array_unref (match);
+  return found;
+}
+
+static GPkcs11EnumerateState
+enumerate_keypair_for_certificate (GPkcs11Slot         *slot,
+                                   GTlsInteraction     *interaction,
+                                   GPkcs11Array        *match_certificate,
+                                   GPkcs11Accumulator   accumulator,
+                                   gpointer             user_data,
+                                   GCancellable        *cancellable,
+                                   GError             **error)
+{
+  static CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
+  GPkcs11Array *private_key_attrs = NULL;
+  const CK_ATTRIBUTE *id_attribute;
+  CK_ATTRIBUTE match[2];
+  GTlsCertificate *certificate;
+  GPkcs11EnumerateState state;
+
+  /*
+   * We need to find a private key that matches the certificate.
+   *
+   * The PKCS#11 standard strongly suggests the norm that matching certificates
+   * and keys have the same CKA_ID. This is how we lookup the key that matches
+   * a certificate.
+   */
+
+  id_attribute = g_pkcs11_array_find (match_certificate, CKA_ID);
+  if (id_attribute == NULL)
+    return TRUE;
+
+  match[0].type = CKA_ID;
+  match[0].pValue = id_attribute->pValue;
+  match[0].ulValueLen = id_attribute->ulValueLen;
+  match[1].type = CKA_CLASS;
+  match[1].pValue = &key_class;
+  match[1].ulValueLen = sizeof (key_class);
+
+  g_assert (private_key_attrs == NULL);
+  state = g_pkcs11_slot_enumerate (slot, interaction, match, G_N_ELEMENTS (match), TRUE,
+                                   KEY_ATTRIBUTE_TYPES, G_N_ELEMENTS (KEY_ATTRIBUTE_TYPES),
+                                   accumulate_first_attributes, &private_key_attrs,
+                                   cancellable, error);
+
+  if (state == G_PKCS11_ENUMERATE_FAILED)
+    return state;
+
+  state = G_PKCS11_ENUMERATE_CONTINUE;
+  if (private_key_attrs)
+    {
+      /* We searched for public key (see above) so change attributes to look like private */
+      g_pkcs11_array_set_ulong (private_key_attrs, CKA_CLASS, CKO_PRIVATE_KEY);
+      certificate = create_database_pkcs11_certificate (slot, match_certificate,
+                                                        private_key_attrs);
+      g_pkcs11_array_unref (private_key_attrs);
+
+      if (certificate)
+        {
+          state = enumerate_call_accumulator (accumulator, certificate, user_data);
+          g_object_unref (certificate);
+        }
+    }
+
+  return state;
+}
+
+static GPkcs11EnumerateState
+enumerate_keypairs_in_slot (GPkcs11Slot         *slot,
+                            GTlsInteraction     *interaction,
+                            CK_ATTRIBUTE_PTR     match,
+                            CK_ULONG             match_count,
+                            GPkcs11Accumulator   accumulator,
+                            gpointer             user_data,
+                            GCancellable        *cancellable,
+                            GError             **error)
+{
+  GPkcs11EnumerateState state;
+  GList *results = NULL;
+  GList *l;
+
+  /*
+   * Find all the certificates that match for this slot, and then below
+   * we lookup to see if there's a private key for any of them.
+   *
+   * Note that we shouldn't be doing two find operations at once, because
+   * this may use too many sessions on smart cards and fragile drivers. So
+   * that's why we list all certificates, complete that find operation, and
+   * then do more find ops looking for private keys.
+   */
+
+  state = g_pkcs11_slot_enumerate (slot, interaction, match, match_count, FALSE,
+                                   CERTIFICATE_ATTRIBUTE_TYPES,
+                                   G_N_ELEMENTS (CERTIFICATE_ATTRIBUTE_TYPES),
+                                   accumulate_list_attributes, &results,
+                                   cancellable, error);
+  if (state == G_PKCS11_ENUMERATE_CONTINUE)
+    {
+      for (l = results; l != NULL; l = g_list_next (l))
+        {
+          state = enumerate_keypair_for_certificate (slot, interaction, l->data, accumulator,
+                                                     user_data, cancellable, error);
+          if (state != G_PKCS11_ENUMERATE_CONTINUE)
+            break;
+        }
+    }
+
+  for (l = results; l != NULL; l = g_list_next (l))
+    g_pkcs11_array_unref (l->data);
+  g_list_free (results);
+
+  return state;
+}
+
+typedef struct {
+  GPkcs11Accumulator accumulator;
+  gpointer user_data;
+  GPkcs11Slot *slot;
+} enumerate_certificates_closure;
+
+static gboolean
+accumulate_wrap_into_certificate (gpointer result,
+                                  gpointer user_data)
+{
+  GPkcs11EnumerateState state = G_PKCS11_ENUMERATE_CONTINUE;
+  enumerate_certificates_closure *closure = user_data;
+  GTlsCertificate *certificate;
+
+  certificate = create_database_pkcs11_certificate (closure->slot,
+                                                    result, NULL);
+  if (certificate)
+    {
+      state = enumerate_call_accumulator (closure->accumulator, certificate,
+                                          closure->user_data);
+      g_object_unref (certificate);
+    }
+
+  return (state == G_PKCS11_ENUMERATE_CONTINUE);
+}
+
+static GPkcs11EnumerateState
+enumerate_certificates_in_slot (GPkcs11Slot         *slot,
+                                GTlsInteraction     *interaction,
+                                CK_ATTRIBUTE_PTR     match,
+                                CK_ULONG             match_count,
+                                GPkcs11Accumulator   accumulator,
+                                gpointer             user_data,
+                                GCancellable        *cancellable,
+                                GError             **error)
+{
+  enumerate_certificates_closure closure = { accumulator, user_data, slot };
+
+  /*
+   * We create the certificates inline, so we can stop the enumeration early
+   * if only one certificate is necessary, but a whole bunch match. We provide
+   * our own accumulator here, turning the attributes into certificates and
+   * then calling the original accumulator.
+   */
+
+  return g_pkcs11_slot_enumerate (slot, interaction, match, match_count, FALSE,
+                                  CERTIFICATE_ATTRIBUTE_TYPES,
+                                  G_N_ELEMENTS (CERTIFICATE_ATTRIBUTE_TYPES),
+                                  accumulate_wrap_into_certificate,
+                                  &closure, cancellable, error);
+}
+
+static GPkcs11EnumerateState
+enumerate_certificates_in_database (GTlsDatabaseGnutlsPkcs11  *self,
+                                    GTlsInteraction           *interaction,
+                                    GTlsDatabaseLookupFlags    flags,
+                                    CK_ATTRIBUTE_PTR           match,
+                                    CK_ULONG                   match_count,
+                                    P11KitUri                 *match_slot_to_uri,
+                                    GPkcs11Accumulator         accumulator,
+                                    gpointer                   user_data,
+                                    GCancellable              *cancellable,
+                                    GError                   **error)
+{
+  GPkcs11EnumerateState state = G_PKCS11_ENUMERATE_CONTINUE;
+  GPkcs11Slot *slot;
+  GList *l;
+
+  /* These are the flags we support */
+  if (flags & ~(G_TLS_DATABASE_LOOKUP_KEYPAIR))
+    return G_PKCS11_ENUMERATE_CONTINUE;
+
+  for (l = self->pkcs11_slots; l; l = g_list_next (l))
+    {
+      if (g_cancellable_set_error_if_cancelled (cancellable, error))
+        return G_PKCS11_ENUMERATE_FAILED;
+
+      slot = l->data;
+
+      /* If the slot doesn't match the URI (when one is present) nothing matches */
+      if (match_slot_to_uri && !g_pkcs11_slot_matches_uri (slot, match_slot_to_uri))
+        continue;
+
+      if (flags & G_TLS_DATABASE_LOOKUP_KEYPAIR)
+        {
+          state = enumerate_keypairs_in_slot (slot, interaction, match,
+                                              match_count, accumulator, user_data,
+                                              cancellable, error);
+
+        }
+      else
+        {
+          state = enumerate_certificates_in_slot (slot, interaction, match,
+                                                  match_count, accumulator,
+                                                  user_data, cancellable, error);
+        }
+
+      if (state != G_PKCS11_ENUMERATE_CONTINUE)
+        break;
+    }
+
+  return state;
+}
+
+static GTlsCertificate *
+g_tls_database_gnutls_pkcs11_lookup_certificate_issuer (GTlsDatabase             *database,
+                                                        GTlsCertificate          *certificate,
+                                                        GTlsInteraction          *interaction,
+                                                        GTlsDatabaseLookupFlags   flags,
+                                                        GCancellable             *cancellable,
+                                                        GError                  **error)
+{
+  GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
+  GTlsCertificate *result = NULL;
+  GPkcs11Array *match = NULL;
+  gnutls_x509_crt_t cert;
+  gnutls_datum_t dn;
+  int gerr;
+
+  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (certificate), NULL);
+
+  /* Dig out the issuer of this certificate */
+  cert = g_tls_certificate_gnutls_get_cert (G_TLS_CERTIFICATE_GNUTLS (certificate));
+  gerr = gnutls_x509_crt_get_raw_issuer_dn (cert, &dn);
+  if (gerr < 0)
+    {
+      g_warning ("failed to get issuer of certificate: %s", gnutls_strerror (gerr));
+      return NULL;
+    }
+
+  match = g_pkcs11_array_new ();
+  g_pkcs11_array_add_ulong (match, CKA_CLASS, CKO_CERTIFICATE);
+  g_pkcs11_array_add_ulong (match, CKA_CERTIFICATE_TYPE, CKC_X_509);
+  g_pkcs11_array_add_value (match, CKA_SUBJECT, dn.data, dn.size);
+  gnutls_free (dn.data);
+
+  enumerate_certificates_in_database (self, interaction, flags, match->attrs,
+                                      match->count, NULL, accumulate_first_object,
+                                      &result, cancellable, error);
+  g_pkcs11_array_unref (match);
+  return result;
+}
+
+static GList *
+g_tls_database_gnutls_pkcs11_lookup_certificates_issued_by (GTlsDatabase             *database,
+                                                            GByteArray               *issuer_subject,
+                                                            GTlsInteraction          *interaction,
+                                                            GTlsDatabaseLookupFlags   flags,
+                                                            GCancellable             *cancellable,
+                                                            GError                  **error)
+{
+  GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
+  GList *l, *results = NULL;
+  GPkcs11Array *match = NULL;
+  GPkcs11EnumerateState state;
+
+  g_return_val_if_fail (issuer_subject, NULL);
+
+  match = g_pkcs11_array_new ();
+  g_pkcs11_array_add_ulong (match, CKA_CLASS, CKO_CERTIFICATE);
+  g_pkcs11_array_add_ulong (match, CKA_CERTIFICATE_TYPE, CKC_X_509);
+  g_pkcs11_array_add_value (match, CKA_ISSUER, issuer_subject->data, issuer_subject->len);
+
+  state = enumerate_certificates_in_database (self, interaction, flags, match->attrs,
+                                              match->count, NULL, accumulate_list_objects,
+                                              &results, cancellable, error);
+
+  /* Could have had partial success, don't leak memory */
+  if (state == G_PKCS11_ENUMERATE_FAILED)
+    {
+      for (l = results; l != NULL; l = g_list_next (l))
+        g_object_unref (l->data);
+      g_list_free (results);
+      results = NULL;
+    }
+
+  g_pkcs11_array_unref (match);
+  return results;
+}
+
+static gchar *
+g_tls_database_gnutls_pkcs11_create_certificate_handle (GTlsDatabase    *database,
+                                                        GTlsCertificate *certificate)
+{
+  return g_tls_certificate_gnutls_pkcs11_build_certificate_uri (G_TLS_CERTIFICATE_GNUTLS (certificate), 
NULL);
+}
+
+static GTlsCertificate *
+g_tls_database_gnutls_pkcs11_lookup_certificate_for_handle (GTlsDatabase             *database,
+                                                            const gchar              *handle,
+                                                            GTlsInteraction          *interaction,
+                                                            GTlsDatabaseLookupFlags   flags,
+                                                            GCancellable             *cancellable,
+                                                            GError                  **error)
+{
+  GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
+  GTlsCertificate *result = NULL;
+  P11KitUri *uri;
+  CK_ATTRIBUTE_PTR match;
+  CK_ULONG match_count;
+  int ret;
+
+  /* The handle is a PKCS#11 URI */
+
+  /* These are the flags we support */
+  if (flags & ~(G_TLS_DATABASE_LOOKUP_KEYPAIR))
+    return NULL;
+
+  uri = p11_kit_uri_new ();
+  if (uri == NULL)
+    g_error ("out of memory in p11_kit_uri_new()");
+
+  ret = p11_kit_uri_parse (handle, P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE |
+                           P11_KIT_URI_FOR_MODULE_WITH_VERSION, uri);
+  if (ret == P11_KIT_URI_NO_MEMORY)
+    {
+      g_error ("out of memory in p11_kit_uri_parse()");
+    }
+  else if (ret != P11_KIT_URI_OK)
+    {
+      p11_kit_uri_free (uri);
+      g_set_error (error, G_PKCS11_ERROR, G_PKCS11_ERROR_BAD_URI,
+                   "Invalid PKCS#11 URI: %s", handle);
+      return NULL;
+    }
+
+  match = p11_kit_uri_get_attributes (uri, &match_count);
+  enumerate_certificates_in_database (self, interaction, flags, match, match_count,
+                                      uri, accumulate_first_object, &result,
+                                      cancellable, error);
+
+  p11_kit_uri_free (uri);
+  return result;
+}
+
+#define BUILD_CERTIFICATE_CHAIN_RECURSION_LIMIT 10
+
+enum {
+  STATUS_FAILURE,
+  STATUS_INCOMPLETE,
+  STATUS_SELFSIGNED,
+  STATUS_ANCHORED,
+  STATUS_RECURSION_LIMIT_REACHED
+};
+
+static gboolean
+is_self_signed (GTlsCertificateGnutls *certificate)
+{
+  const gnutls_x509_crt_t cert = g_tls_certificate_gnutls_get_cert (certificate);
+  return (gnutls_x509_crt_check_issuer (cert, cert) > 0);
+}
+
+static gint
+build_certificate_chain (GTlsDatabaseGnutlsPkcs11  *self,
+                         GTlsCertificateGnutls     *certificate,
+                         GTlsCertificateGnutls     *previous,
+                         gboolean                   certificate_is_from_db,
+                         guint                      recursion_depth,
+                         const gchar               *purpose,
+                         GSocketConnectable        *identity,
+                         GTlsInteraction           *interaction,
+                         GCancellable              *cancellable,
+                         GTlsCertificateGnutls    **anchor,
+                         GError                   **error)
+{
+  GTlsCertificate *issuer;
+  gint status;
+
+  if (recursion_depth++ > BUILD_CERTIFICATE_CHAIN_RECURSION_LIMIT)
+    return STATUS_RECURSION_LIMIT_REACHED;
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return STATUS_FAILURE;
+
+  /* Look up whether this certificate is an anchor */
+  if (g_tls_database_gnutls_pkcs11_lookup_assertion (self, certificate,
+                                                     G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE,
+                                                     purpose, identity, cancellable, error))
+    {
+      g_tls_certificate_gnutls_set_issuer (certificate, NULL);
+      *anchor = certificate;
+      return STATUS_ANCHORED;
+    }
+  else if (*error)
+    {
+      return STATUS_FAILURE;
+    }
+
+  /* Is it self-signed? */
+  if (is_self_signed (certificate))
+    {
+      /*
+       * Since at this point we would fail with 'self-signed', can we replace
+       * this certificate with one from the database and do better?
+       */
+      if (previous && !certificate_is_from_db)
+        {
+          issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self),
+                                                             G_TLS_CERTIFICATE (previous),
+                                                             interaction,
+                                                             G_TLS_DATABASE_LOOKUP_NONE,
+                                                             cancellable, error);
+          if (*error)
+            {
+              return STATUS_FAILURE;
+            }
+          else if (issuer)
+            {
+              /* Replaced with certificate in the db, restart step again with this certificate */
+              g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
+              certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
+              g_tls_certificate_gnutls_set_issuer (previous, certificate);
+              g_object_unref (issuer);
+
+              return build_certificate_chain (self, certificate, previous, TRUE, recursion_depth,
+                                              purpose, identity, interaction, cancellable, anchor, error);
+            }
+        }
+
+      g_tls_certificate_gnutls_set_issuer (certificate, NULL);
+      return STATUS_SELFSIGNED;
+    }
+
+  previous = certificate;
+
+  /* Bring over the next certificate in the chain */
+  issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (certificate));
+  if (issuer)
+    {
+      g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
+      certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
+
+      status = build_certificate_chain (self, certificate, previous, FALSE, recursion_depth,
+                                        purpose, identity, interaction, cancellable, anchor, error);
+      if (status != STATUS_INCOMPLETE)
+        {
+          return status;
+        }
+    }
+
+  /* Search for the next certificate in chain */
+  issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self),
+                                                     G_TLS_CERTIFICATE (certificate),
+                                                     interaction,
+                                                     G_TLS_DATABASE_LOOKUP_NONE,
+                                                     cancellable, error);
+  if (*error)
+    return STATUS_FAILURE;
+
+  if (!issuer)
+    return STATUS_INCOMPLETE;
+
+  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE);
+  g_tls_certificate_gnutls_set_issuer (certificate, G_TLS_CERTIFICATE_GNUTLS (issuer));
+  certificate = G_TLS_CERTIFICATE_GNUTLS (issuer);
+  g_object_unref (issuer);
+
+  return build_certificate_chain (self, certificate, previous, TRUE, recursion_depth,
+                                  purpose, identity, interaction, cancellable, anchor, error);
+}
+
+static GTlsCertificateFlags
+double_check_before_after_dates (GTlsCertificateGnutls *chain)
+{
+  GTlsCertificateFlags gtls_flags = 0;
+  gnutls_x509_crt_t cert;
+  time_t t, now;
+
+  now = time (NULL);
+  while (chain)
+    {
+      cert = g_tls_certificate_gnutls_get_cert (chain);
+      t = gnutls_x509_crt_get_activation_time (cert);
+      if (t == (time_t) -1 || t > now)
+        gtls_flags |= G_TLS_CERTIFICATE_NOT_ACTIVATED;
+
+      t = gnutls_x509_crt_get_expiration_time (cert);
+      if (t == (time_t) -1 || t < now)
+        gtls_flags |= G_TLS_CERTIFICATE_EXPIRED;
+
+      chain = G_TLS_CERTIFICATE_GNUTLS (g_tls_certificate_get_issuer
+                                        (G_TLS_CERTIFICATE (chain)));
+    }
+
+  return gtls_flags;
+}
+
+static void
+convert_certificate_chain_to_gnutls (GTlsCertificateGnutls  *chain,
+                                     gnutls_x509_crt_t     **gnutls_chain,
+                                     guint                  *gnutls_chain_length)
+{
+  GTlsCertificate *cert;
+  guint i;
+
+  g_assert (gnutls_chain);
+  g_assert (gnutls_chain_length);
+
+  for (*gnutls_chain_length = 0, cert = G_TLS_CERTIFICATE (chain);
+       cert; cert = g_tls_certificate_get_issuer (cert))
+    ++(*gnutls_chain_length);
+
+  *gnutls_chain = g_new0 (gnutls_x509_crt_t, *gnutls_chain_length);
+
+  for (i = 0, cert = G_TLS_CERTIFICATE (chain);
+       cert; cert = g_tls_certificate_get_issuer (cert), ++i)
+    (*gnutls_chain)[i] = g_tls_certificate_gnutls_get_cert (G_TLS_CERTIFICATE_GNUTLS (cert));
+
+  g_assert (i == *gnutls_chain_length);
+}
+
+static GTlsCertificateFlags
+g_tls_database_gnutls_pkcs11_verify_chain (GTlsDatabase             *database,
+                                           GTlsCertificate          *chain,
+                                           const gchar              *purpose,
+                                           GSocketConnectable       *identity,
+                                           GTlsInteraction          *interaction,
+                                           GTlsDatabaseVerifyFlags   flags,
+                                           GCancellable             *cancellable,
+                                           GError                  **error)
+{
+  GTlsDatabaseGnutlsPkcs11 *self;
+  GTlsCertificateFlags result;
+  GTlsCertificateGnutls *certificate;
+  GError *err = NULL;
+  GTlsCertificateGnutls *anchor;
+  guint gnutls_result;
+  gnutls_x509_crt_t *certs, *anchors;
+  guint certs_length, anchors_length;
+  gint status, gerr;
+  guint recursion_depth = 0;
+
+  g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (chain),
+                        G_TLS_CERTIFICATE_GENERIC_ERROR);
+  g_assert (purpose);
+
+  self = G_TLS_DATABASE_GNUTLS_PKCS11 (database);
+  certificate = G_TLS_CERTIFICATE_GNUTLS (chain);
+
+  /* First check for pinned certificate */
+  if (g_tls_database_gnutls_pkcs11_lookup_assertion (self, certificate,
+                                                     G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE,
+                                                     purpose, identity, cancellable, &err))
+    {
+      /*
+       * A pinned certificate is verified on its own, without any further
+       * verification.
+       */
+      g_tls_certificate_gnutls_set_issuer (certificate, NULL);
+      return 0;
+    }
+
+  if (err)
+    {
+      g_propagate_error (error, err);
+      return G_TLS_CERTIFICATE_GENERIC_ERROR;
+    }
+
+  anchor = NULL;
+  status = build_certificate_chain (self, certificate, NULL, FALSE, recursion_depth,
+                                    purpose, identity, interaction, cancellable, &anchor, &err);
+  if (status == STATUS_FAILURE)
+    {
+      g_propagate_error (error, err);
+      return G_TLS_CERTIFICATE_GENERIC_ERROR;
+    }
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return G_TLS_CERTIFICATE_GENERIC_ERROR;
+
+  convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (chain),
+                                       &certs, &certs_length);
+
+  if (anchor)
+    {
+      g_assert (g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (anchor)) == NULL);
+      convert_certificate_chain_to_gnutls (G_TLS_CERTIFICATE_GNUTLS (anchor),
+                                           &anchors, &anchors_length);
+    }
+  else
+    {
+      anchors = NULL;
+      anchors_length = 0;
+    }
+
+  gerr = gnutls_x509_crt_list_verify (certs, certs_length,
+                                      anchors, anchors_length,
+                                      NULL, 0, 0,
+                                      &gnutls_result);
+
+  g_free (certs);
+  g_free (anchors);
+
+  if (gerr != 0)
+    return G_TLS_CERTIFICATE_GENERIC_ERROR;
+  else if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return G_TLS_CERTIFICATE_GENERIC_ERROR;
+
+  result = g_tls_certificate_gnutls_convert_flags (gnutls_result);
+
+  /*
+   * We have to check these ourselves since gnutls_x509_crt_list_verify
+   * won't bother if it gets an UNKNOWN_CA.
+   */
+  result |= double_check_before_after_dates (G_TLS_CERTIFICATE_GNUTLS (chain));
+
+  if (identity)
+    result |= g_tls_certificate_gnutls_verify_identity (G_TLS_CERTIFICATE_GNUTLS (chain),
+                                                        identity);
+
+  return result;
+}
+
+static void
+g_tls_database_gnutls_pkcs11_class_init (GTlsDatabaseGnutlsPkcs11Class *klass)
+{
+  GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
+  GTlsDatabaseClass *database_class = G_TLS_DATABASE_CLASS (klass);
+
+  gobject_class->finalize = g_tls_database_gnutls_pkcs11_finalize;
+
+  database_class->create_certificate_handle = g_tls_database_gnutls_pkcs11_create_certificate_handle;
+  database_class->lookup_certificate_issuer = g_tls_database_gnutls_pkcs11_lookup_certificate_issuer;
+  database_class->lookup_certificates_issued_by = g_tls_database_gnutls_pkcs11_lookup_certificates_issued_by;
+  database_class->lookup_certificate_for_handle = g_tls_database_gnutls_pkcs11_lookup_certificate_for_handle;
+  database_class->verify_chain = g_tls_database_gnutls_pkcs11_verify_chain;
+}
+
+static gboolean
+g_tls_database_gnutls_pkcs11_initable_init (GInitable     *initable,
+                                            GCancellable  *cancellable,
+                                            GError       **error)
+{
+  GTlsDatabaseGnutlsPkcs11 *self = G_TLS_DATABASE_GNUTLS_PKCS11 (initable);
+  GError *err = NULL;
+  gboolean any_success = FALSE;
+  gboolean any_failure = FALSE;
+  guint i;
+
+  g_return_val_if_fail (!self->modules, FALSE);
+
+  self->modules = p11_kit_modules_load (NULL, 0);
+  if (self->modules == NULL) {
+    g_set_error_literal (error, G_PKCS11_ERROR, CKR_FUNCTION_FAILED, p11_kit_message ());
+    return FALSE;
+  }
+
+  for (i = 0; self->modules[i] != NULL; i++)
+    {
+      if (g_cancellable_set_error_if_cancelled (cancellable, error))
+        {
+          any_failure = TRUE;
+          any_success = FALSE;
+          break;
+        }
+
+      if (discover_module_slots_and_options (self, self->modules[i], &err))
+        {
+          /* A module was setup correctly */
+          any_success = TRUE;
+          g_clear_error (error);
+        }
+      else
+        {
+          /* No module success, first module failure */
+          if (!any_success && !any_failure)
+            g_propagate_error (error, err);
+          any_failure = TRUE;
+        }
+    }
+
+  return (any_failure && !any_success) ? FALSE : TRUE;
+}
+
+static void
+g_tls_database_gnutls_pkcs11_initable_iface_init (GInitableIface *iface)
+{
+  iface->init = g_tls_database_gnutls_pkcs11_initable_init;
+}
+
+GTlsDatabase *
+g_tls_database_gnutls_pkcs11_new (GError **error)
+{
+  g_return_val_if_fail (!error || !*error, NULL);
+  return g_initable_new (G_TYPE_TLS_DATABASE_GNUTLS_PKCS11, NULL, error, NULL);
+}
diff --git a/tls/gnutls/gtlsdatabase-gnutls-pkcs11.h b/tls/gnutls/gtlsdatabase-gnutls-pkcs11.h
new file mode 100644
index 0000000..cd7a52d
--- /dev/null
+++ b/tls/gnutls/gtlsdatabase-gnutls-pkcs11.h
@@ -0,0 +1,44 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - GLib Certificate, Output and Gnutlsing Library
+ *
+ * Copyright 2011 Collabora, Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#ifndef __G_TLS_DATABASE_GNUTLS_PKCS11_H__
+#define __G_TLS_DATABASE_GNUTLS_PKCS11_H__
+
+#include <gio/gio.h>
+
+#include "gtlsdatabase-gnutls.h"
+
+G_BEGIN_DECLS
+
+#define G_TYPE_TLS_DATABASE_GNUTLS_PKCS11            (g_tls_database_gnutls_pkcs11_get_type ())
+
+G_DECLARE_FINAL_TYPE (GTlsDatabaseGnutlsPkcs11, g_tls_database_gnutls_pkcs11, G, TLS_DATABASE_GNUTLS_PKCS11, 
GTlsDatabase)
+
+GTlsDatabase*                g_tls_database_gnutls_pkcs11_new                   (GError **error);
+
+G_END_DECLS
+
+#endif /* __G_TLS_DATABASE_GNUTLS_PKCS11_H___ */
diff --git a/tls/gnutls/meson.build b/tls/gnutls/meson.build
index 4ff127e..4aff069 100644
--- a/tls/gnutls/meson.build
+++ b/tls/gnutls/meson.build
@@ -21,6 +21,16 @@ deps = [
   gnutls_dep
 ]
 
+if pkcs11_dep.found()
+  sources += files(
+    'gtlsdatabase-gnutls-pkcs11.c',
+  )
+
+  incs += tls_inc
+
+  deps += libgiopkcs11_dep
+endif
+
 module = shared_module(
   'giognutls',
   sources: sources,
diff --git a/tls/pkcs11/gpkcs11array.c b/tls/pkcs11/gpkcs11array.c
new file mode 100644
index 0000000..c3627f4
--- /dev/null
+++ b/tls/pkcs11/gpkcs11array.c
@@ -0,0 +1,282 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - Small GLib wrapper of PKCS#11 for use in GTls
+ *
+ * Copyright 2011 Collabora, Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include "config.h"
+
+#include "gpkcs11array.h"
+
+#include <string.h>
+
+G_DEFINE_BOXED_TYPE (GPkcs11Array, g_pkcs11_array, g_pkcs11_array_ref, g_pkcs11_array_unref);
+
+typedef struct _GRealPkcs11Array
+{
+  CK_ATTRIBUTE *attrs;
+  CK_ULONG len;
+  volatile gint ref_count;
+} GRealPkcs11Array;
+
+GPkcs11Array*
+g_pkcs11_array_new (void)
+{
+  GRealPkcs11Array *array = g_slice_new (GRealPkcs11Array);
+
+  array->attrs = NULL;
+  array->len = 0;
+  array->ref_count = 1;
+
+  return (GPkcs11Array *)array;
+}
+
+void
+g_pkcs11_array_add (GPkcs11Array *array,
+                    CK_ATTRIBUTE *attr)
+{
+  GRealPkcs11Array *rarray = (GRealPkcs11Array *)array;
+
+  g_return_if_fail (array);
+  g_return_if_fail (attr);
+  g_return_if_fail (attr->ulValueLen != (CK_ATTRIBUTE_TYPE)-1 || !attr->pValue);
+  g_return_if_fail (attr->pValue || !attr->ulValueLen);
+
+  rarray->attrs = g_renew (CK_ATTRIBUTE, rarray->attrs, rarray->len + 1);
+  memcpy (rarray->attrs + rarray->len, attr, sizeof (CK_ATTRIBUTE));
+  if (attr->pValue)
+    rarray->attrs[rarray->len].pValue = g_memdup (attr->pValue, attr->ulValueLen);
+  rarray->len++;
+}
+
+void
+g_pkcs11_array_add_value (GPkcs11Array      *array,
+                          CK_ATTRIBUTE_TYPE  type,
+                          gconstpointer      value,
+                          gssize              length)
+{
+  CK_ATTRIBUTE attr;
+
+  g_return_if_fail (array);
+
+  if (length < 0)
+    length = strlen (value);
+
+  attr.type = type;
+  attr.pValue = (gpointer)value;
+  attr.ulValueLen = length;
+  g_pkcs11_array_add (array, &attr);
+}
+
+void
+g_pkcs11_array_add_boolean (GPkcs11Array      *array,
+                            CK_ATTRIBUTE_TYPE  attr_type,
+                            gboolean           value)
+{
+  CK_ATTRIBUTE attr;
+  CK_BBOOL bval;
+
+  g_return_if_fail (array);
+
+  bval = value ? CK_TRUE : CK_FALSE;
+  attr.type = attr_type;
+  attr.pValue = &bval;
+  attr.ulValueLen = sizeof (bval);
+  g_pkcs11_array_add (array, &attr);
+}
+
+void
+g_pkcs11_array_add_ulong (GPkcs11Array      *array,
+                          CK_ATTRIBUTE_TYPE  type,
+                          gulong             value)
+{
+  CK_ATTRIBUTE attr;
+  CK_ULONG uval;
+
+  g_return_if_fail (array);
+
+  uval = value;
+  attr.type = type;
+  attr.pValue = &uval;
+  attr.ulValueLen = sizeof (uval);
+  g_pkcs11_array_add (array, &attr);
+}
+
+void
+g_pkcs11_array_set (GPkcs11Array *array,
+                    CK_ATTRIBUTE *attr)
+{
+  CK_ATTRIBUTE *previous;
+
+  g_return_if_fail (array);
+  g_return_if_fail (attr);
+  g_return_if_fail (attr->ulValueLen != (CK_ATTRIBUTE_TYPE)-1 || !attr->pValue);
+  g_return_if_fail (attr->pValue || !attr->ulValueLen);
+
+  previous = (CK_ATTRIBUTE *)g_pkcs11_array_find (array, attr->type);
+  if (previous == NULL)
+    {
+      g_pkcs11_array_add (array, attr);
+    }
+  else
+    {
+      g_free (previous->pValue);
+      previous->pValue = g_memdup (attr->pValue, attr->ulValueLen);
+      previous->ulValueLen = attr->ulValueLen;
+    }
+}
+
+void
+g_pkcs11_array_set_value (GPkcs11Array      *array,
+                          CK_ATTRIBUTE_TYPE  type,
+                          gconstpointer      value,
+                          gssize              length)
+{
+  CK_ATTRIBUTE attr;
+
+  g_return_if_fail (array);
+
+  if (length < 0)
+    length = strlen (value);
+
+  attr.type = type;
+  attr.pValue = (gpointer)value;
+  attr.ulValueLen = length;
+  g_pkcs11_array_set (array, &attr);
+}
+
+void
+g_pkcs11_array_set_boolean (GPkcs11Array      *array,
+                            CK_ATTRIBUTE_TYPE  attr_type,
+                            gboolean           value)
+{
+  CK_ATTRIBUTE attr;
+  CK_BBOOL bval;
+
+  g_return_if_fail (array);
+
+  bval = value ? CK_TRUE : CK_FALSE;
+  attr.type = attr_type;
+  attr.pValue = &bval;
+  attr.ulValueLen = sizeof (bval);
+  g_pkcs11_array_set (array, &attr);
+}
+
+void
+g_pkcs11_array_set_ulong (GPkcs11Array      *array,
+                          CK_ATTRIBUTE_TYPE  type,
+                          gulong             value)
+{
+  CK_ATTRIBUTE attr;
+  CK_ULONG uval;
+
+  g_return_if_fail (array);
+
+  uval = value;
+  attr.type = type;
+  attr.pValue = &uval;
+  attr.ulValueLen = sizeof (uval);
+  g_pkcs11_array_set (array, &attr);
+}
+
+
+const CK_ATTRIBUTE*
+g_pkcs11_array_find (GPkcs11Array         *array,
+                     CK_ATTRIBUTE_TYPE     type)
+{
+    const CK_ATTRIBUTE* attr;
+    guint i;
+
+    g_return_val_if_fail (array, NULL);
+
+    for (i = 0; i < array->count; ++i)
+      {
+        attr = &g_pkcs11_array_index (array, i);
+        if (attr->type == type)
+          return attr;
+      }
+
+    return NULL;
+}
+
+gboolean
+g_pkcs11_array_find_boolean (GPkcs11Array         *array,
+                             CK_ATTRIBUTE_TYPE     type,
+                             gboolean             *value)
+{
+  const CK_ATTRIBUTE* attr;
+
+  g_return_val_if_fail (array, FALSE);
+  g_return_val_if_fail (value, FALSE);
+
+  attr = g_pkcs11_array_find (array, type);
+  if (!attr || !attr->pValue || attr->ulValueLen != sizeof (CK_BBOOL))
+    return FALSE;
+  *value = *((CK_BBOOL *)attr->pValue) ? TRUE : FALSE;
+  return TRUE;
+}
+
+gboolean
+g_pkcs11_array_find_ulong (GPkcs11Array         *array,
+                           CK_ATTRIBUTE_TYPE     type,
+                           gulong               *value)
+{
+  const CK_ATTRIBUTE* attr;
+
+  g_return_val_if_fail (array, FALSE);
+  g_return_val_if_fail (value, FALSE);
+
+  attr = g_pkcs11_array_find (array, type);
+  if (!attr || !attr->pValue || attr->ulValueLen != sizeof (CK_ULONG))
+    return FALSE;
+  *value = *((CK_ULONG *)attr->pValue);
+  return TRUE;
+}
+
+GPkcs11Array*
+g_pkcs11_array_ref (GPkcs11Array *array)
+{
+  GRealPkcs11Array *rarray = (GRealPkcs11Array *)array;
+
+  g_return_val_if_fail (array, NULL);
+  g_return_val_if_fail (g_atomic_int_get (&rarray->ref_count) > 0, array);
+  g_atomic_int_inc (&rarray->ref_count);
+  return array;
+}
+
+void
+g_pkcs11_array_unref (GPkcs11Array *array)
+{
+  GRealPkcs11Array *rarray = (GRealPkcs11Array *)array;
+  CK_ULONG i;
+
+  g_return_if_fail (array);
+  g_return_if_fail (g_atomic_int_get (&rarray->ref_count) > 0);
+  if (g_atomic_int_dec_and_test (&rarray->ref_count))
+    {
+      for (i = 0; i < rarray->len; ++i)
+        g_free (rarray->attrs[i].pValue);
+      g_free (rarray->attrs);
+      g_slice_free1 (sizeof (GRealPkcs11Array), array);
+    }
+}
diff --git a/tls/pkcs11/gpkcs11array.h b/tls/pkcs11/gpkcs11array.h
new file mode 100644
index 0000000..04d1a66
--- /dev/null
+++ b/tls/pkcs11/gpkcs11array.h
@@ -0,0 +1,107 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - Small GLib wrapper of PKCS#11 for use in GTls
+ *
+ * Copyright 2011 Collabora, Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#ifndef __G_PKCS11_ARRAY_H__
+#define __G_PKCS11_ARRAY_H__
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include <p11-kit/pkcs11.h>
+
+#include <p11-kit/uri.h>
+
+G_BEGIN_DECLS
+
+typedef struct _GPkcs11Array       GPkcs11Array;
+
+struct _GPkcs11Array
+{
+  CK_ATTRIBUTE *attrs;
+  CK_ULONG      count;
+};
+
+#define             G_TYPE_PKCS11_ARRAY                     (g_pkcs11_array_get_type ())
+
+GType               g_pkcs11_array_get_type                 (void) G_GNUC_CONST;
+
+GPkcs11Array*       g_pkcs11_array_new                      (void);
+
+#define             g_pkcs11_array_index(array,index_)      ((array)->attrs)[index_]
+
+void                g_pkcs11_array_add                      (GPkcs11Array        *array,
+                                                             CK_ATTRIBUTE        *attr);
+
+void                g_pkcs11_array_add_value                (GPkcs11Array        *array,
+                                                             CK_ATTRIBUTE_TYPE    type,
+                                                             gconstpointer        value,
+                                                             gssize               length);
+
+void                g_pkcs11_array_add_boolean              (GPkcs11Array         *array,
+                                                             CK_ATTRIBUTE_TYPE     type,
+                                                             gboolean              value);
+
+void                g_pkcs11_array_add_ulong                (GPkcs11Array         *array,
+                                                             CK_ATTRIBUTE_TYPE     type,
+                                                             gulong                value);
+
+void                g_pkcs11_array_set                      (GPkcs11Array        *array,
+                                                             CK_ATTRIBUTE        *attr);
+
+void                g_pkcs11_array_set_value                (GPkcs11Array        *array,
+                                                             CK_ATTRIBUTE_TYPE    type,
+                                                             gconstpointer        value,
+                                                             gssize               length);
+
+void                g_pkcs11_array_set_boolean              (GPkcs11Array         *array,
+                                                             CK_ATTRIBUTE_TYPE     type,
+                                                             gboolean              value);
+
+void                g_pkcs11_array_set_ulong                (GPkcs11Array         *array,
+                                                             CK_ATTRIBUTE_TYPE     type,
+                                                             gulong                value);
+
+const CK_ATTRIBUTE* g_pkcs11_array_find                     (GPkcs11Array         *array,
+                                                             CK_ATTRIBUTE_TYPE     type);
+
+const CK_ATTRIBUTE* g_pkcs11_array_find_valid               (GPkcs11Array         *array,
+                                                             CK_ATTRIBUTE_TYPE     type);
+
+gboolean            g_pkcs11_array_find_boolean             (GPkcs11Array         *array,
+                                                             CK_ATTRIBUTE_TYPE     type,
+                                                             gboolean             *value);
+
+gboolean            g_pkcs11_array_find_ulong               (GPkcs11Array         *array,
+                                                             CK_ATTRIBUTE_TYPE     type,
+                                                             gulong               *value);
+
+GPkcs11Array*       g_pkcs11_array_ref                      (GPkcs11Array         *array);
+
+void                g_pkcs11_array_unref                    (GPkcs11Array         *array);
+
+G_END_DECLS
+
+#endif /* __G_PKCS11_ARRAY_H___ */
diff --git a/tls/pkcs11/gpkcs11pin.c b/tls/pkcs11/gpkcs11pin.c
new file mode 100644
index 0000000..6578bf4
--- /dev/null
+++ b/tls/pkcs11/gpkcs11pin.c
@@ -0,0 +1,159 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - GLib Input, Output and Streaming Library
+ *
+ * Copyright © 2011 Collabora Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include "config.h"
+
+#include <string.h>
+
+#include "gpkcs11pin.h"
+#include <glib/gi18n-lib.h>
+
+enum
+{
+  PROP_0,
+
+  PROP_FLAGS,
+  PROP_DESCRIPTION
+};
+
+struct _GPkcs11Pin
+{
+  GTlsPassword parent_instance;
+
+  P11KitPin *pin;
+};
+
+G_DEFINE_TYPE (GPkcs11Pin, g_pkcs11_pin, G_TYPE_TLS_PASSWORD);
+
+static void
+g_pkcs11_pin_init (GPkcs11Pin *self)
+{
+}
+
+static void
+g_pkcs11_pin_finalize (GObject *object)
+{
+  GPkcs11Pin *self = G_PKCS11_PIN (object);
+
+  if (self->pin)
+    p11_kit_pin_unref (self->pin);
+
+  G_OBJECT_CLASS (g_pkcs11_pin_parent_class)->finalize (object);
+}
+
+static const guchar *
+g_pkcs11_pin_get_value (GTlsPassword  *password,
+                        gsize         *length)
+{
+  GPkcs11Pin *self = G_PKCS11_PIN (password);
+
+  if (!self->pin)
+    {
+      if (length)
+        *length = 0;
+      return NULL;
+    }
+
+  return p11_kit_pin_get_value (self->pin, length);
+}
+
+static void
+g_pkcs11_pin_set_value (GTlsPassword  *password,
+                        guchar        *value,
+                        gssize         length,
+                        GDestroyNotify destroy)
+{
+  GPkcs11Pin *self = G_PKCS11_PIN (password);
+
+  if (self->pin)
+    {
+      p11_kit_pin_unref (self->pin);
+      self->pin = NULL;
+    }
+
+  if (length < 0)
+    length = strlen ((gchar *)value);
+
+  self->pin = p11_kit_pin_new_for_buffer (value, length, destroy);
+}
+
+static const gchar *
+g_pkcs11_pin_get_default_warning (GTlsPassword  *password)
+{
+  GTlsPasswordFlags flags;
+
+  flags = g_tls_password_get_flags (password);
+
+  if (flags & G_TLS_PASSWORD_FINAL_TRY)
+    return _("This is the last chance to enter the PIN correctly before the token is locked.");
+  if (flags & G_TLS_PASSWORD_MANY_TRIES)
+    return _("Several PIN attempts have been incorrect, and the token will be locked after further 
failures.");
+  if (flags & G_TLS_PASSWORD_RETRY)
+    return _("The PIN entered is incorrect.");
+
+  return NULL;
+}
+
+
+static void
+g_pkcs11_pin_class_init (GPkcs11PinClass *klass)
+{
+  GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
+  GTlsPasswordClass *password_class = G_TLS_PASSWORD_CLASS (klass);
+
+  password_class->get_value = g_pkcs11_pin_get_value;
+  password_class->set_value = g_pkcs11_pin_set_value;
+  password_class->get_default_warning = g_pkcs11_pin_get_default_warning;
+
+  gobject_class->finalize     = g_pkcs11_pin_finalize;
+}
+
+GTlsPassword *
+g_pkcs11_pin_new (GTlsPasswordFlags  flags,
+                  const gchar       *description)
+{
+  GPkcs11Pin *self;
+
+  self = g_object_new (G_TYPE_PKCS11_PIN,
+                       "flags", flags,
+                       "description", description,
+                       NULL);
+
+  return G_TLS_PASSWORD (self);
+}
+
+
+P11KitPin *
+g_pkcs11_pin_steal_internal (GPkcs11Pin  *self)
+{
+  P11KitPin *pin;
+
+  g_return_val_if_fail (G_IS_PKCS11_PIN (self), NULL);
+
+  pin = self->pin;
+  self->pin = NULL;
+  return pin;
+}
diff --git a/tls/pkcs11/gpkcs11pin.h b/tls/pkcs11/gpkcs11pin.h
new file mode 100644
index 0000000..5fbb662
--- /dev/null
+++ b/tls/pkcs11/gpkcs11pin.h
@@ -0,0 +1,46 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - GLib Pin, Output and Pkcs11ing Library
+ *
+ * Copyright © 2011 Collabora Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#ifndef __G_PKCS11_PIN_H__
+#define __G_PKCS11_PIN_H__
+
+#include <gio/gio.h>
+#include <p11-kit/pin.h>
+
+G_BEGIN_DECLS
+
+#define G_TYPE_PKCS11_PIN            (g_pkcs11_pin_get_type ())
+
+G_DECLARE_FINAL_TYPE (GPkcs11Pin, g_pkcs11_pin, G, PKCS11_PIN, GTlsPassword)
+
+GTlsPassword *          g_pkcs11_pin_new             (GTlsPasswordFlags  flags,
+                                                      const gchar       *description);
+
+P11KitPin *             g_pkcs11_pin_steal_internal  (GPkcs11Pin  *self);
+
+G_END_DECLS
+
+#endif /* __G_PKCS11_PIN_H___ */
diff --git a/tls/pkcs11/gpkcs11slot.c b/tls/pkcs11/gpkcs11slot.c
new file mode 100644
index 0000000..9b24dc0
--- /dev/null
+++ b/tls/pkcs11/gpkcs11slot.c
@@ -0,0 +1,618 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - Small GLib wrapper of PKCS#11 for use in GTls
+ *
+ * Copyright 2011 Collabora, Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include "config.h"
+
+#include "gpkcs11slot.h"
+
+#include "gpkcs11array.h"
+#include "gpkcs11pin.h"
+#include "gpkcs11util.h"
+
+#include <glib/gi18n.h>
+
+#include <p11-kit/p11-kit.h>
+#include <p11-kit/pin.h>
+
+#include <stdlib.h>
+
+enum {
+  PROP_0,
+  PROP_MODULE,
+  PROP_SLOT_ID
+};
+
+struct _GPkcs11Slot
+{
+  GObject parent_instance;
+
+  /* read-only after construct */
+  CK_FUNCTION_LIST_PTR module;
+  CK_SLOT_ID slot_id;
+
+  /* protected by mutex */
+  GMutex mutex;
+  CK_SESSION_HANDLE last_session;
+};
+
+G_DEFINE_TYPE (GPkcs11Slot, g_pkcs11_slot, G_TYPE_OBJECT);
+
+static gboolean
+check_if_session_logged_in (GPkcs11Slot        *self,
+                            CK_SESSION_HANDLE   session)
+{
+  CK_SESSION_INFO session_info;
+  CK_RV rv;
+
+  rv = (self->module->C_GetSessionInfo) (session, &session_info);
+  if (rv != CKR_OK)
+    return FALSE;
+
+  /* Already logged in */
+  if (session_info.state == CKS_RO_USER_FUNCTIONS ||
+      session_info.state == CKS_RW_USER_FUNCTIONS)
+    return TRUE;
+
+  return FALSE;
+}
+
+static gboolean
+session_login_protected_auth_path (GPkcs11Slot       *self,
+                                   CK_SESSION_HANDLE  session,
+                                   GError           **error)
+{
+  CK_RV rv;
+
+  rv = (self->module->C_Login) (session, CKU_USER, NULL, 0);
+  if (rv == CKR_USER_ALREADY_LOGGED_IN)
+    rv = CKR_OK;
+  if (g_pkcs11_propagate_error (error, rv))
+    return FALSE;
+  return TRUE;
+}
+
+static gboolean
+session_login_with_pin (GPkcs11Slot          *self,
+                        GTlsInteraction      *interaction,
+                        CK_SESSION_HANDLE     session,
+                        CK_TOKEN_INFO        *token_info,
+                        GTlsPasswordFlags     flags,
+                        GCancellable         *cancellable,
+                        GError              **error)
+{
+  GTlsInteractionResult result = G_TLS_INTERACTION_UNHANDLED;
+  GTlsPassword *password = NULL;
+  const guchar *value;
+  gsize length;
+  CK_RV rv;
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return FALSE;
+
+  else if (interaction != NULL)
+    {
+      gchar *description = p11_kit_space_strdup (token_info->label,
+                                                 sizeof (token_info->label));
+      password = g_tls_password_new (flags, description);
+      free (description);
+
+      result = g_tls_interaction_ask_password (interaction, password, cancellable, error);
+    }
+
+  switch (result)
+    {
+    case G_TLS_INTERACTION_UNHANDLED:
+      g_clear_object (&password);
+      g_message ("no pin is available to log in, or the user cancelled pin entry");
+      return TRUE;
+    case G_TLS_INTERACTION_FAILED:
+      g_clear_object (&password);
+      return FALSE;
+    case G_TLS_INTERACTION_HANDLED:
+      break;
+    }
+
+  g_assert (interaction != NULL && password != NULL);
+  value = g_tls_password_get_value (password, &length);
+  rv = (self->module->C_Login) (session, CKU_USER, (CK_UTF8CHAR_PTR)value, length);
+  g_object_unref (password);
+
+  if (rv == CKR_USER_ALREADY_LOGGED_IN)
+    rv = CKR_OK;
+  if (g_pkcs11_propagate_error (error, rv))
+    return FALSE;
+  return TRUE;
+}
+
+static gboolean
+session_login_if_necessary (GPkcs11Slot        *self,
+                            GTlsInteraction    *interaction,
+                            CK_SESSION_HANDLE   session,
+                            GCancellable       *cancellable,
+                            GError            **error)
+{
+  CK_TOKEN_INFO token_info;
+  GTlsPasswordFlags flags = 0;
+  GError *err = NULL;
+  CK_RV rv;
+
+  for (;;)
+    {
+      if (g_cancellable_set_error_if_cancelled (cancellable, error))
+        return FALSE;
+
+      /* Do we actually need to login? */
+      if (check_if_session_logged_in (self, session))
+        return TRUE;
+
+      /* Get the token information, this can change between login attempts */
+      rv = (self->module->C_GetTokenInfo) (self->slot_id, &token_info);
+      if (g_pkcs11_propagate_error (error, rv))
+        return FALSE;
+
+      if (!(token_info.flags & CKF_LOGIN_REQUIRED))
+        return TRUE;
+
+      /* Login is not initialized on token, don't try to login */
+      if (!(token_info.flags & CKF_USER_PIN_INITIALIZED))
+        return TRUE;
+
+      /* Protected auth path, only call login once, and let token prompt user */
+      if (token_info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+        return session_login_protected_auth_path (self, session, error);
+
+      /* Normal authentication path, ask p11-kit to call any callbacks */
+      else
+        {
+
+          if (token_info.flags & CKF_SO_PIN_COUNT_LOW)
+            flags |= G_TLS_PASSWORD_MANY_TRIES;
+          if (token_info.flags & CKF_SO_PIN_FINAL_TRY)
+            flags |= G_TLS_PASSWORD_FINAL_TRY;
+
+          if (session_login_with_pin (self, interaction, session, &token_info,
+                                      flags, cancellable, &err))
+            return TRUE;
+
+          /* User cancelled, don't try to log in */
+          if (err == NULL)
+            return TRUE;
+
+          if (!g_error_matches (err, G_PKCS11_ERROR, CKR_PIN_INCORRECT))
+            {
+              g_propagate_error (error, err);
+              return FALSE;
+            }
+
+          /* Try again */
+          g_clear_error (&err);
+          flags |= G_TLS_PASSWORD_RETRY;
+        }
+    }
+}
+
+static CK_SESSION_HANDLE
+session_checkout_or_open (GPkcs11Slot     *self,
+                          GTlsInteraction *interaction,
+                          gboolean         login,
+                          GCancellable    *cancellable,
+                          GError         **error)
+{
+  CK_SESSION_HANDLE session = 0;
+  CK_RV rv;
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    return 0;
+
+  g_mutex_lock (&self->mutex);
+
+  if (self->last_session)
+    {
+      session = self->last_session;
+      self->last_session = 0;
+    }
+
+  g_mutex_unlock (&self->mutex);
+
+  if (!session)
+    {
+      rv = (self->module->C_OpenSession) (self->slot_id, CKF_SERIAL_SESSION,
+                                          NULL, NULL, &session);
+      if (g_pkcs11_propagate_error (error, rv))
+        return 0;
+    }
+
+  if (login)
+    {
+      if (!session_login_if_necessary (self, interaction, session, cancellable, error))
+        {
+          (self->module->C_CloseSession) (session);
+          return 0;
+        }
+    }
+
+  return session;
+}
+
+static void
+session_close (GPkcs11Slot       *self,
+               CK_SESSION_HANDLE   session)
+{
+  CK_RV rv;
+
+  g_assert (session != 0);
+
+  rv = (self->module->C_CloseSession) (session);
+  if (rv != CKR_OK)
+    g_warning ("couldn't close pkcs11 session: %s",
+               p11_kit_strerror (rv));
+}
+
+static void
+session_checkin_or_close (GPkcs11Slot      *self,
+                          CK_SESSION_HANDLE  session)
+{
+  g_assert (session != 0);
+
+  g_mutex_lock (&self->mutex);
+
+  if (self->last_session == 0)
+    {
+      self->last_session = session;
+      session = 0;
+    }
+
+  g_mutex_unlock (&self->mutex);
+
+  if (session != 0)
+    session_close (self, session);
+}
+
+static GPkcs11Array*
+retrieve_object_attributes (GPkcs11Slot              *self,
+                            CK_SESSION_HANDLE         session,
+                            CK_OBJECT_HANDLE          object,
+                            const CK_ATTRIBUTE_TYPE  *attr_types,
+                            guint                     attr_types_length,
+                            GError                  **error)
+{
+  GPkcs11Array *result;
+  CK_ATTRIBUTE_PTR attr;
+  CK_ATTRIBUTE blank;
+  CK_RV rv;
+  guint i;
+
+  result = g_pkcs11_array_new ();
+  memset (&blank, 0, sizeof (blank));
+  for (i = 0; i < attr_types_length; ++i)
+    {
+      blank.type = attr_types[i];
+      g_pkcs11_array_add (result, &blank);
+    }
+
+  /* Get all the required buffer sizes */
+  rv = (self->module->C_GetAttributeValue) (session, object,
+                                            result->attrs, result->count);
+  if (rv == CKR_ATTRIBUTE_SENSITIVE ||
+      rv == CKR_ATTRIBUTE_TYPE_INVALID)
+    rv = CKR_OK;
+  if (g_pkcs11_propagate_error (error, rv))
+    {
+      g_pkcs11_array_unref (result);
+      return NULL;
+    }
+
+  /* Now allocate memory for them all */
+  for (i = 0; i < attr_types_length; ++i)
+    {
+      attr = &g_pkcs11_array_index (result, i);
+      if (attr->ulValueLen != (CK_ULONG)-1 && attr->ulValueLen)
+          attr->pValue = g_malloc0 (attr->ulValueLen);
+    }
+
+  /* And finally get all the values */
+  rv = (self->module->C_GetAttributeValue) (session, object,
+                                            result->attrs, result->count);
+  if (rv == CKR_ATTRIBUTE_SENSITIVE ||
+      rv == CKR_ATTRIBUTE_TYPE_INVALID ||
+      rv == CKR_BUFFER_TOO_SMALL)
+    rv = CKR_OK;
+  if (g_pkcs11_propagate_error (error, rv))
+    {
+      g_pkcs11_array_unref (result);
+      return NULL;
+    }
+
+  return result;
+}
+
+static void
+g_pkcs11_slot_init (GPkcs11Slot *self)
+{
+  g_mutex_init (&self->mutex);
+}
+
+static void
+g_pkcs11_slot_dispose (GObject *object)
+{
+  GPkcs11Slot *self = G_PKCS11_SLOT (object);
+  CK_SESSION_HANDLE session = 0;
+
+  g_mutex_lock (&self->mutex);
+
+  session = self->last_session;
+  self->last_session = 0;
+
+  g_mutex_unlock (&self->mutex);
+
+  if (session)
+    session_close (self, session);
+
+  G_OBJECT_CLASS (g_pkcs11_slot_parent_class)->dispose (object);
+}
+
+static void
+g_pkcs11_slot_finalize (GObject *object)
+{
+  GPkcs11Slot *self = G_PKCS11_SLOT (object);
+
+  g_assert (self->last_session == 0);
+  g_mutex_clear (&self->mutex);
+
+  G_OBJECT_CLASS (g_pkcs11_slot_parent_class)->finalize (object);
+}
+
+static void
+g_pkcs11_slot_get_property (GObject    *object,
+                             guint       prop_id,
+                             GValue     *value,
+                             GParamSpec *pspec)
+{
+  GPkcs11Slot *self = G_PKCS11_SLOT (object);
+
+  switch (prop_id)
+    {
+    case PROP_MODULE:
+      g_value_set_pointer (value, self->module);
+      break;
+
+    case PROP_SLOT_ID:
+      g_value_set_ulong (value, self->slot_id);
+      break;
+
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+    }
+}
+
+static void
+g_pkcs11_slot_set_property (GObject      *object,
+                             guint         prop_id,
+                             const GValue *value,
+                             GParamSpec   *pspec)
+{
+  GPkcs11Slot *self = G_PKCS11_SLOT (object);
+
+  switch (prop_id)
+    {
+    case PROP_MODULE:
+      self->module = g_value_get_pointer (value);
+      g_assert (self->module);
+      break;
+
+    case PROP_SLOT_ID:
+      self->slot_id = g_value_get_ulong (value);
+      break;
+
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+    }
+}
+
+static void
+g_pkcs11_slot_class_init (GPkcs11SlotClass *klass)
+{
+  GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
+
+  gobject_class->get_property = g_pkcs11_slot_get_property;
+  gobject_class->set_property = g_pkcs11_slot_set_property;
+  gobject_class->dispose      = g_pkcs11_slot_dispose;
+  gobject_class->finalize     = g_pkcs11_slot_finalize;
+
+  g_object_class_install_property (gobject_class, PROP_MODULE,
+                                   g_param_spec_pointer ("module",
+                                                         N_("Module"),
+                                                         N_("PKCS#11 Module Pointer"),
+                                                         G_PARAM_READWRITE |
+                                                         G_PARAM_CONSTRUCT |
+                                                         G_PARAM_STATIC_STRINGS));
+
+  g_object_class_install_property (gobject_class, PROP_SLOT_ID,
+                                   g_param_spec_ulong ("slot-id",
+                                                         N_("Slot ID"),
+                                                         N_("PKCS#11 Slot Identifier"),
+                                                         0,
+                                                         G_MAXULONG,
+                                                         G_MAXULONG,
+                                                         G_PARAM_READWRITE |
+                                                         G_PARAM_CONSTRUCT |
+                                                         G_PARAM_STATIC_STRINGS));
+}
+
+GPkcs11EnumerateState
+g_pkcs11_slot_enumerate (GPkcs11Slot             *self,
+                         GTlsInteraction         *interaction,
+                         CK_ATTRIBUTE_PTR         match,
+                         CK_ULONG                 match_count,
+                         gboolean                 match_private,
+                         const CK_ATTRIBUTE_TYPE *attr_types,
+                         guint                    attr_types_length,
+                         GPkcs11Accumulator       accumulator,
+                         gpointer                 user_data,
+                         GCancellable            *cancellable,
+                         GError                 **error)
+{
+  GPkcs11EnumerateState state = G_PKCS11_ENUMERATE_CONTINUE;
+  CK_OBJECT_HANDLE objects[256];
+  CK_SESSION_HANDLE session;
+  GPkcs11Array *attrs;
+  GError *err = NULL;
+  CK_ULONG count, i;
+  CK_RV rv;
+
+  g_return_val_if_fail (G_IS_PKCS11_SLOT (self), FALSE);
+  g_return_val_if_fail (accumulator, FALSE);
+  g_return_val_if_fail (!error || !*error, FALSE);
+
+  session = session_checkout_or_open (self, interaction, match_private,
+                                      cancellable, &err);
+  if (err != NULL)
+    {
+      /* If the slot isn't present, then nothing to match :) */
+      if (g_error_matches (err, G_PKCS11_ERROR, CKR_TOKEN_NOT_PRESENT))
+        {
+          g_clear_error (&err);
+          return G_PKCS11_ENUMERATE_CONTINUE;
+        }
+
+      g_propagate_error (error, err);
+      return G_PKCS11_ENUMERATE_FAILED;
+    }
+
+  rv = (self->module->C_FindObjectsInit) (session, match, match_count);
+
+  while (state == G_PKCS11_ENUMERATE_CONTINUE && rv == CKR_OK &&
+         !g_cancellable_is_cancelled (cancellable))
+    {
+      count = 0;
+      rv = (self->module->C_FindObjects) (session, objects,
+                                          G_N_ELEMENTS (objects), &count);
+      if (rv == CKR_OK)
+        {
+          if (count == 0)
+            break;
+
+          for (i = 0; state == G_PKCS11_ENUMERATE_CONTINUE && i < count; ++i)
+            {
+              if (attr_types_length)
+                {
+                  attrs = retrieve_object_attributes (self, session, objects[i],
+                                                  attr_types, attr_types_length, error);
+                  if (attrs == NULL)
+                      state = G_PKCS11_ENUMERATE_FAILED;
+                }
+              else
+                {
+                  attrs = NULL;
+                }
+
+              if (state == G_PKCS11_ENUMERATE_CONTINUE)
+                {
+                  if (!(accumulator) (attrs, user_data))
+                    state = G_PKCS11_ENUMERATE_STOP;
+                }
+
+              if (attrs)
+                g_pkcs11_array_unref (attrs);
+
+              if (g_cancellable_is_cancelled (cancellable))
+                break;
+            }
+        }
+    }
+
+  if (g_cancellable_set_error_if_cancelled (cancellable, error))
+    {
+      state = G_PKCS11_ENUMERATE_FAILED;
+    }
+  else if (rv != CKR_OK && rv != CKR_TOKEN_NOT_PRESENT)
+    {
+      g_pkcs11_propagate_error (error, rv);
+      state = G_PKCS11_ENUMERATE_FAILED;
+    }
+
+  rv = (self->module->C_FindObjectsFinal) (session);
+  if (rv == CKR_OK)
+    session_checkin_or_close (self, session);
+  else
+    session_close (self, session);
+
+  return state;
+}
+
+gboolean
+g_pkcs11_slot_get_token_info (GPkcs11Slot       *self,
+                              CK_TOKEN_INFO_PTR  token_info)
+{
+  CK_RV rv;
+
+  g_return_val_if_fail (G_IS_PKCS11_SLOT (self), FALSE);
+  g_return_val_if_fail (token_info, FALSE);
+
+  memset (token_info, 0, sizeof (CK_TOKEN_INFO));
+  rv = (self->module->C_GetTokenInfo) (self->slot_id, token_info);
+  if (rv == CKR_TOKEN_NOT_PRESENT)
+    return FALSE;
+
+  if (rv != CKR_OK)
+    {
+      g_warning ("call to C_GetTokenInfo on PKCS#11 module failed: %s",
+                 p11_kit_strerror (rv));
+      return FALSE;
+    }
+
+  return TRUE;
+}
+
+gboolean
+g_pkcs11_slot_matches_uri (GPkcs11Slot            *self,
+                           P11KitUri              *uri)
+{
+  CK_INFO library;
+  CK_TOKEN_INFO token;
+  CK_RV rv;
+
+  g_return_val_if_fail (G_IS_PKCS11_SLOT (self), FALSE);
+  g_return_val_if_fail (uri, FALSE);
+
+  memset (&library, 0, sizeof (library));
+  rv = (self->module->C_GetInfo) (&library);
+  if (rv != CKR_OK)
+    {
+      g_warning ("call to C_GetInfo on PKCS#11 module failed: %s",
+                 p11_kit_strerror (rv));
+      return FALSE;
+    }
+
+  if (!p11_kit_uri_match_module_info (uri, &library))
+    return FALSE;
+
+  memset (&token, 0, sizeof (token));
+  if (!g_pkcs11_slot_get_token_info (self, &token))
+    return FALSE;
+
+  return p11_kit_uri_match_token_info (uri, &token);
+}
diff --git a/tls/pkcs11/gpkcs11slot.h b/tls/pkcs11/gpkcs11slot.h
new file mode 100644
index 0000000..a57c2a6
--- /dev/null
+++ b/tls/pkcs11/gpkcs11slot.h
@@ -0,0 +1,73 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - Small GLib wrapper of PKCS#11 for use in GTls
+ *
+ * Copyright 2011 Collabora, Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#ifndef __G_PKCS11_SLOT_H__
+#define __G_PKCS11_SLOT_H__
+
+#include <gio/gio.h>
+
+#include "gpkcs11array.h"
+
+#include <p11-kit/pkcs11.h>
+#include <p11-kit/uri.h>
+
+G_BEGIN_DECLS
+
+typedef enum
+{
+  G_PKCS11_ENUMERATE_FAILED,
+  G_PKCS11_ENUMERATE_STOP,
+  G_PKCS11_ENUMERATE_CONTINUE
+} GPkcs11EnumerateState;
+
+#define G_TYPE_PKCS11_SLOT            (g_pkcs11_slot_get_type ())
+
+G_DECLARE_FINAL_TYPE (GPkcs11Slot, g_pkcs11_slot, G, PKCS11_SLOT, GObject)
+
+typedef gboolean             (*GPkcs11Accumulator)            (gpointer result,
+                                                               gpointer user_data);
+
+GPkcs11EnumerateState        g_pkcs11_slot_enumerate          (GPkcs11Slot             *self,
+                                                               GTlsInteraction         *interaction,
+                                                               CK_ATTRIBUTE_PTR         match,
+                                                               CK_ULONG                 match_count,
+                                                               gboolean                 match_private,
+                                                               const CK_ATTRIBUTE_TYPE *attr_types,
+                                                               guint                    attr_types_length,
+                                                               GPkcs11Accumulator       accumulator,
+                                                               gpointer                 user_data,
+                                                               GCancellable            *cancellable,
+                                                               GError                 **error);
+
+gboolean                     g_pkcs11_slot_get_token_info     (GPkcs11Slot             *self,
+                                                               CK_TOKEN_INFO_PTR        token_info);
+
+gboolean                     g_pkcs11_slot_matches_uri        (GPkcs11Slot             *self,
+                                                               P11KitUri               *uri);
+
+G_END_DECLS
+
+#endif /* __G_PKCS11_SLOT_H___ */
diff --git a/tls/pkcs11/gpkcs11util.c b/tls/pkcs11/gpkcs11util.c
new file mode 100644
index 0000000..6ffe18f
--- /dev/null
+++ b/tls/pkcs11/gpkcs11util.c
@@ -0,0 +1,63 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - Small GLib wrapper of PKCS#11 for use in GTls
+ *
+ * Copyright 2011 Collabora, Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include "config.h"
+
+#include "gpkcs11util.h"
+
+#include <glib/gi18n-lib.h>
+#include <gio/gio.h>
+
+#include <p11-kit/p11-kit.h>
+
+GQuark
+g_pkcs11_get_error_domain (void)
+{
+  static GQuark domain = 0;
+  static volatile gsize quark_inited = 0;
+
+  if (g_once_init_enter (&quark_inited))
+    {
+      domain = g_quark_from_static_string ("g-pkcs11-error");
+      g_once_init_leave (&quark_inited, 1);
+    }
+
+  return domain;
+}
+
+gboolean
+g_pkcs11_propagate_error (GError **error, CK_RV rv)
+{
+  if (rv == CKR_OK)
+    return FALSE;
+  if (rv == CKR_CANCEL)
+      g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_CANCELLED,
+                           p11_kit_strerror (rv));
+  else
+    g_set_error_literal (error, G_PKCS11_ERROR, (gint)rv,
+                         p11_kit_strerror (rv));
+  return TRUE;
+}
diff --git a/tls/pkcs11/gpkcs11util.h b/tls/pkcs11/gpkcs11util.h
new file mode 100644
index 0000000..9368a78
--- /dev/null
+++ b/tls/pkcs11/gpkcs11util.h
@@ -0,0 +1,51 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO - Small GLib wrapper of PKCS#11 for use in GTls
+ *
+ * Copyright 2011 Collabora, Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#ifndef __G_PKCS11_UTIL_H__
+#define __G_PKCS11_UTIL_H__
+
+#include <glib.h>
+
+#include <p11-kit/pkcs11.h>
+
+G_BEGIN_DECLS
+
+#define                G_PKCS11_VENDOR_CODE               0x47000000 /* G000 */
+
+enum {
+  G_PKCS11_ERROR_BAD_URI = (CKR_VENDOR_DEFINED | (G_PKCS11_VENDOR_CODE + 1)),
+};
+
+#define                G_PKCS11_ERROR                     (g_pkcs11_get_error_domain ())
+
+GQuark                 g_pkcs11_get_error_domain          (void) G_GNUC_CONST;
+
+gboolean               g_pkcs11_propagate_error           (GError **error,
+                                                           CK_RV rv);
+
+G_END_DECLS
+
+#endif /* __G_PKCS11_UTIL_H___ */
diff --git a/tls/pkcs11/meson.build b/tls/pkcs11/meson.build
new file mode 100644
index 0000000..94f55d9
--- /dev/null
+++ b/tls/pkcs11/meson.build
@@ -0,0 +1,28 @@
+sources = files(
+  'gpkcs11array.c',
+  'gpkcs11pin.c',
+  'gpkcs11slot.c',
+  'gpkcs11util.c'
+)
+
+deps = [
+  glib_dep,
+  gio_dep,
+  gmodule_dep,
+  gobject_dep,
+  pkcs11_dep
+]
+
+libgiopkcs11 = static_library(
+  'giopkcs11',
+  sources: sources,
+  include_directories: top_inc,
+  dependencies: deps,
+  install: get_option('static_modules')
+)
+
+libgiopkcs11_dep = declare_dependency(
+  link_with: libgiopkcs11,
+  include_directories: include_directories('.'),
+  dependencies: deps
+)
diff --git a/tls/pkcs11/pkcs11-trust-assertions.h b/tls/pkcs11/pkcs11-trust-assertions.h
new file mode 100644
index 0000000..cfc916b
--- /dev/null
+++ b/tls/pkcs11/pkcs11-trust-assertions.h
@@ -0,0 +1,59 @@
+/*
+ * pkcs11x.h
+ *  Copyright 2010 Collabora, Ltd
+ *
+ * This file is free software; as a special exception the author gives
+ * unlimited permission to copy and/or distribute it, with or without
+ * modifications, as long as this notice is preserved.
+ *
+ * This file is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+ * the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ */
+
+/*
+ * The latest version of this file is at:
+ *
+ * git://thewalter.net/git/pkcs11-trust-assertions
+ *
+ * or viewable on the web at:
+ *
+ * http://thewalter.net/git/cgit.cgi/pkcs11-trust-assertions/tree/pkcs11-trust-assertions.h
+ *
+ */
+
+#ifndef PKCS11_TRUST_ASSERTIONS_H
+#define PKCS11_TRUST_ASSERTIONS_H
+
+#include <p11-kit/pkcs11.h>
+
+#define CKA_XDG   (CKA_VENDOR_DEFINED | 0x58444700UL /* XDG0 */ )
+#define CKO_XDG   (CKA_VENDOR_DEFINED | 0x58444700UL /* XDG0 */ )
+
+/* -------------------------------------------------------------------
+ * TRUST ASSERTIONS
+ */
+
+#define CKO_X_TRUST_ASSERTION                    (CKO_XDG + 100)
+
+#define CKA_X_ASSERTION_TYPE                     (CKA_XDG + 1)
+
+#define CKA_X_CERTIFICATE_VALUE                  (CKA_XDG + 2)
+
+#define CKA_X_PURPOSE                            (CKA_XDG + 3)
+
+#define CKA_X_PEER                               (CKA_XDG + 4)
+
+typedef CK_ULONG CK_X_ASSERTION_TYPE;
+
+#define CKT_X_UNTRUSTED_CERTIFICATE              1UL
+
+#define CKT_X_PINNED_CERTIFICATE                 2UL
+
+#define CKT_X_ANCHORED_CERTIFICATE               3UL
+
+#endif /* PKCS11_TRUST_ASSERTIONS_H */
diff --git a/tls/tests/meson.build b/tls/tests/meson.build
index fc73a4b..1aee911 100644
--- a/tls/tests/meson.build
+++ b/tls/tests/meson.build
@@ -29,6 +29,20 @@ test_programs = [
 #  ['dtls-connection', ['mock-interaction.c'], deps, ['openssl']],
 ]
 
+if pkcs11_dep.found()
+  pkcs11_deps = deps + [
+    libgiopkcs11_dep,
+    pkcs11_dep
+  ]
+
+  test_programs += [
+    ['pkcs11-util', [], pkcs11_deps, []],
+    ['pkcs11-array', [], pkcs11_deps, []],
+    ['pkcs11-pin', [], pkcs11_deps, []],
+    ['pkcs11-slot', ['mock-interaction.c', 'mock-pkcs11.c'], pkcs11_deps, []]
+  ]
+endif
+
 foreach backend: backends
   foreach program: test_programs
     if not program[3].contains(backend)
diff --git a/tls/tests/mock-pkcs11.c b/tls/tests/mock-pkcs11.c
new file mode 100644
index 0000000..75a6874
--- /dev/null
+++ b/tls/tests/mock-pkcs11.c
@@ -0,0 +1,1547 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * Copyright (C) 2010 Stefan Walter
+ * Copyright (C) 2011 Collabora Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General  License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General  License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ */
+
+#include "config.h"
+
+#include "mock-pkcs11.h"
+
+#include <p11-kit/pkcs11.h>
+
+#include <glib.h>
+
+#include <string.h>
+
+/*
+ * This is *NOT* how you'd want to implement a PKCS#11 module. This
+ * fake module simply provides enough for gnutls-pkcs11 backend to test against.
+ * It doesn't pass any tests, or behave as expected from a PKCS#11 module.
+ */
+
+static gboolean initialized = FALSE;
+static gchar *the_pin = NULL;
+static gulong n_the_pin = 0;
+
+static gboolean logged_in = FALSE;
+static CK_USER_TYPE user_type = 0;
+static CK_FUNCTION_LIST functionList;
+
+typedef enum
+{
+  OP_FIND = 1,
+  OP_CRYPTO
+} Operation;
+
+typedef struct
+{
+  CK_SESSION_HANDLE handle;
+  CK_SESSION_INFO info;
+  GHashTable *objects;
+
+  Operation operation;
+
+  /* For find operations */
+  GList *matches;
+
+  /* For crypto operations */
+  CK_OBJECT_HANDLE crypto_key;
+  CK_ATTRIBUTE_TYPE crypto_method;
+  CK_MECHANISM_TYPE crypto_mechanism;
+  CK_BBOOL want_context_login;
+} Session;
+
+static guint unique_identifier = 100;
+static GHashTable *the_sessions = NULL;
+static GHashTable *the_objects = NULL;
+
+static void
+free_session (gpointer data)
+{
+  Session *sess = (Session *)data;
+  if (sess)
+    g_hash_table_destroy (sess->objects);
+  g_free (sess);
+}
+
+static GPkcs11Array *
+lookup_object (Session *session,
+               CK_OBJECT_HANDLE hObject)
+{
+  GPkcs11Array *attrs;
+  attrs = g_hash_table_lookup (the_objects, GUINT_TO_POINTER (hObject));
+  if (!attrs)
+    attrs = g_hash_table_lookup (session->objects, GUINT_TO_POINTER (hObject));
+  return attrs;
+}
+
+CK_OBJECT_HANDLE
+mock_module_take_object (GPkcs11Array *attrs)
+{
+  gboolean token;
+  guint handle;
+
+  g_return_val_if_fail (the_objects, 0);
+
+  if (g_pkcs11_array_find_boolean (attrs, CKA_TOKEN, &token))
+    g_return_val_if_fail (token == TRUE, 0);
+
+  handle = ++unique_identifier;
+  g_pkcs11_array_add_boolean (attrs, CKA_TOKEN, TRUE);
+  g_hash_table_insert (the_objects, GUINT_TO_POINTER (handle), attrs);
+  return handle;
+}
+
+void
+mock_module_enumerate_objects (CK_SESSION_HANDLE handle,
+                               MockEnumerator func,
+                               gpointer user_data)
+{
+  GHashTableIter iter;
+  gpointer key;
+  gpointer value;
+  Session *session;
+  gboolean private;
+
+  g_assert (the_objects);
+  g_assert (func);
+
+  /* Token objects */
+  g_hash_table_iter_init (&iter, the_objects);
+  while (g_hash_table_iter_next (&iter, &key, &value))
+    {
+      /* Don't include private objects when not logged in */
+      if (!logged_in)
+        {
+          if (g_pkcs11_array_find_boolean (value, CKA_PRIVATE, &private) && private == TRUE)
+            continue;
+        }
+
+      if (!(func) (GPOINTER_TO_UINT (key), value, user_data))
+        return;
+    }
+
+  /* session objects */
+  if (handle)
+    {
+      session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (handle));
+      if (session)
+        {
+          g_hash_table_iter_init (&iter, session->objects);
+          while (g_hash_table_iter_next (&iter, &key, &value))
+            {
+              /* Don't include private objects when not logged in */
+              if (!logged_in)
+                {
+                  if (g_pkcs11_array_find_boolean (value, CKA_PRIVATE, &private) && private == TRUE)
+                    continue;
+                }
+
+              if (!(func) (GPOINTER_TO_UINT (key), value, user_data))
+                return;
+            }
+        }
+    }
+}
+
+typedef struct {
+  CK_ATTRIBUTE_PTR attrs;
+  CK_ULONG n_attrs;
+  CK_OBJECT_HANDLE object;
+} FindObject;
+
+static gboolean
+enumerate_and_find_object (CK_OBJECT_HANDLE object,
+                           GPkcs11Array *attrs,
+                           gpointer user_data)
+{
+  FindObject *ctx = user_data;
+  const CK_ATTRIBUTE *match;
+  const CK_ATTRIBUTE *attr;
+  CK_ULONG i;
+
+  for (i = 0; i < ctx->n_attrs; ++i)
+    {
+      match = ctx->attrs + i;
+      attr = g_pkcs11_array_find (attrs, match->type);
+      if (!attr)
+        return TRUE; /* Continue */
+
+      if (attr->ulValueLen != match->ulValueLen ||
+          memcmp (attr->pValue, match->pValue, attr->ulValueLen) != 0)
+        return TRUE; /* Continue */
+    }
+
+  ctx->object = object;
+  return FALSE; /* Stop iteration */
+}
+
+CK_OBJECT_HANDLE
+mock_module_find_object (CK_SESSION_HANDLE session,
+                         CK_ATTRIBUTE_PTR attrs,
+                         CK_ULONG n_attrs)
+{
+  FindObject ctx;
+
+  ctx.attrs = attrs;
+  ctx.n_attrs = n_attrs;
+  ctx.object = 0;
+
+  mock_module_enumerate_objects (session, enumerate_and_find_object, &ctx);
+  return ctx.object;
+}
+
+static gboolean
+enumerate_and_count_objects (CK_OBJECT_HANDLE object,
+                             GPkcs11Array *attrs,
+                             gpointer user_data)
+{
+  guint *n_objects = user_data;
+  ++(*n_objects);
+  return TRUE; /* Continue */
+}
+
+guint
+mock_module_count_objects (CK_SESSION_HANDLE session)
+{
+  guint n_objects = 0;
+  mock_module_enumerate_objects (session, enumerate_and_count_objects, &n_objects);
+  return n_objects;
+}
+
+void
+mock_module_set_object (CK_OBJECT_HANDLE object,
+                        CK_ATTRIBUTE_PTR attrs,
+                        CK_ULONG n_attrs)
+{
+  CK_ULONG i;
+  GPkcs11Array *atts;
+
+  g_return_if_fail (object != 0);
+  g_return_if_fail (the_objects);
+
+  atts = g_hash_table_lookup (the_objects, GUINT_TO_POINTER (object));
+  g_return_if_fail (atts);
+
+  for (i = 0; i < n_attrs; ++i)
+    g_pkcs11_array_set (atts, &attrs[i]);
+}
+
+void
+mock_module_set_pin (const gchar *password)
+{
+  g_free (the_pin);
+  the_pin = g_strdup (password);
+  n_the_pin = strlen (password);
+}
+
+CK_RV
+mock_C_Initialize (CK_VOID_PTR pInitArgs)
+{
+  GPkcs11Array *attrs;
+  CK_C_INITIALIZE_ARGS_PTR args;
+
+  g_return_val_if_fail (initialized == FALSE, CKR_CRYPTOKI_ALREADY_INITIALIZED);
+
+  args = (CK_C_INITIALIZE_ARGS_PTR)pInitArgs;
+  if (args)
+    {
+      g_return_val_if_fail(
+          (args->CreateMutex == NULL && args->DestroyMutex == NULL &&
+           args->LockMutex == NULL && args->UnlockMutex == NULL) ||
+          (args->CreateMutex != NULL && args->DestroyMutex != NULL &&
+           args->LockMutex != NULL && args->UnlockMutex != NULL),
+          CKR_ARGUMENTS_BAD);
+
+      /* Flags should allow OS locking and os threads */
+      g_return_val_if_fail ((args->flags & CKF_OS_LOCKING_OK), CKR_CANT_LOCK);
+      g_return_val_if_fail ((args->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) == 0, 
CKR_NEED_TO_CREATE_THREADS);
+    }
+
+  the_pin = g_strdup (MOCK_SLOT_ONE_PIN);
+  n_the_pin = strlen (the_pin);
+  the_sessions = g_hash_table_new_full (g_direct_hash, g_direct_equal, NULL, free_session);
+  the_objects = g_hash_table_new_full (g_direct_hash, g_direct_equal, NULL, 
(GDestroyNotify)g_pkcs11_array_unref);
+
+  /* Our first token object */
+  attrs = g_pkcs11_array_new ();
+  g_pkcs11_array_add_ulong (attrs, CKA_CLASS, CKO_DATA);
+  g_pkcs11_array_add_value (attrs, CKA_LABEL, "TEST LABEL", -1);
+  g_pkcs11_array_add_boolean (attrs, CKA_TOKEN, TRUE);
+  g_hash_table_insert (the_objects, GUINT_TO_POINTER (2), attrs);
+
+  /* Our second token object */
+  attrs = g_pkcs11_array_new ();
+  g_pkcs11_array_add_ulong (attrs, CKA_CLASS, CKO_DATA);
+  g_pkcs11_array_add_value (attrs, CKA_LABEL, "LABEL TWO", -1);
+  g_pkcs11_array_add_boolean (attrs, CKA_TOKEN, TRUE);
+  g_hash_table_insert (the_objects, GUINT_TO_POINTER (3), attrs);
+
+  /* A private object */
+  attrs = g_pkcs11_array_new ();
+  g_pkcs11_array_add_ulong (attrs, CKA_CLASS, CKO_DATA);
+  g_pkcs11_array_add_value (attrs, CKA_LABEL, "PRIVATE", -1);
+  g_pkcs11_array_add_boolean (attrs, CKA_PRIVATE, TRUE);
+  g_pkcs11_array_add_boolean (attrs, CKA_TOKEN, TRUE);
+  g_hash_table_insert (the_objects, GUINT_TO_POINTER (4), attrs);
+
+  initialized = TRUE;
+  return CKR_OK;
+}
+
+CK_RV
+mock_validate_and_C_Initialize (CK_VOID_PTR pInitArgs)
+{
+  CK_C_INITIALIZE_ARGS_PTR args;
+  void *mutex;
+  CK_RV rv;
+
+  args = (CK_C_INITIALIZE_ARGS_PTR)pInitArgs;
+  if (args)
+    {
+      g_assert ((args->CreateMutex) (NULL) == CKR_ARGUMENTS_BAD && "CreateMutex succeeded wrong");
+      g_assert ((args->DestroyMutex) (NULL) == CKR_MUTEX_BAD && "DestroyMutex succeeded wrong");
+      g_assert ((args->LockMutex) (NULL) == CKR_MUTEX_BAD && "LockMutex succeeded wrong");
+      g_assert ((args->UnlockMutex) (NULL) == CKR_MUTEX_BAD && "UnlockMutex succeeded wrong");
+
+      /* Try to create an actual mutex */
+      rv = (args->CreateMutex) (&mutex);
+      g_assert (rv == CKR_OK && "CreateMutex g_assert_not_reacheded");
+      g_assert (mutex != NULL && "CreateMutex created null mutex");
+
+      /* Try and lock the mutex */
+      rv = (args->LockMutex) (mutex);
+      g_assert (rv == CKR_OK && "LockMutex g_assert_not_reacheded");
+
+      /* Try and unlock the mutex */
+      rv = (args->UnlockMutex) (mutex);
+      g_assert (rv == CKR_OK && "UnlockMutex g_assert_not_reacheded");
+
+      /* Try and destroy the mutex */
+      rv = (args->DestroyMutex) (mutex);
+      g_assert (rv == CKR_OK && "DestroyMutex g_assert_not_reacheded");
+    }
+
+  return mock_C_Initialize (pInitArgs);
+}
+
+CK_RV
+mock_C_Finalize (CK_VOID_PTR pReserved)
+{
+  g_return_val_if_fail (pReserved == NULL, CKR_ARGUMENTS_BAD);
+  g_return_val_if_fail (initialized == TRUE, CKR_CRYPTOKI_NOT_INITIALIZED);
+
+  initialized = FALSE;
+  logged_in = FALSE;
+  g_hash_table_destroy (the_objects);
+  the_objects = NULL;
+
+  g_hash_table_destroy (the_sessions);
+  the_sessions = NULL;
+
+  g_free (the_pin);
+  return CKR_OK;
+}
+
+static const CK_INFO TEST_INFO = {
+  { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR },
+  "TEST MANUFACTURER              ",
+  0,
+  "TEST LIBRARY                   ",
+  { 45, 145 }
+};
+
+CK_RV
+mock_C_GetInfo (CK_INFO_PTR pInfo)
+{
+  g_return_val_if_fail (pInfo, CKR_ARGUMENTS_BAD);
+  memcpy (pInfo, &TEST_INFO, sizeof (*pInfo));
+  return CKR_OK;
+}
+
+CK_RV
+mock_C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR list)
+{
+  g_return_val_if_fail (list, CKR_ARGUMENTS_BAD);
+  *list = &functionList;
+  return CKR_OK;
+}
+
+/*
+ * Two slots
+ *  ONE: token present
+ *  TWO: token not present
+ */
+
+CK_RV
+mock_C_GetSlotList (CK_BBOOL tokenPresent,
+                    CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount)
+{
+  CK_ULONG count;
+
+  g_return_val_if_fail (pulCount, CKR_ARGUMENTS_BAD);
+
+  count = tokenPresent ? 1 : 2;
+
+  /* Application only wants to know the number of slots. */
+  if (pSlotList == NULL)
+    {
+      *pulCount = count;
+      return CKR_OK;
+    }
+
+  if (*pulCount < count)
+    g_return_val_if_reached (CKR_BUFFER_TOO_SMALL);
+
+  *pulCount = count;
+  pSlotList[0] = MOCK_SLOT_ONE_ID;
+  if (!tokenPresent)
+    pSlotList[1] = MOCK_SLOT_TWO_ID;
+
+  return CKR_OK;
+}
+
+/* Update mock-pkcs11.h URIs when updating this */
+
+static const CK_SLOT_INFO TEST_INFO_ONE = {
+  "TEST SLOT                                                       ",
+  "TEST MANUFACTURER              ",
+  CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE,
+  { 55, 155 },
+  { 65, 165 },
+};
+
+/* Update mock-pkcs11.h URIs when updating this */
+
+static const CK_SLOT_INFO TEST_INFO_TWO = {
+  "TEST SLOT                                                       ",
+  "TEST MANUFACTURER              ",
+  CKF_REMOVABLE_DEVICE,
+  { 55, 155 },
+  { 65, 165 },
+};
+
+CK_RV
+mock_C_GetSlotInfo (CK_SLOT_ID slotID,
+                    CK_SLOT_INFO_PTR pInfo)
+{
+  g_return_val_if_fail (pInfo, CKR_ARGUMENTS_BAD);
+
+  if (slotID == MOCK_SLOT_ONE_ID)
+    {
+      memcpy (pInfo, &TEST_INFO_ONE, sizeof (*pInfo));
+      return CKR_OK;
+    }
+  else if (slotID == MOCK_SLOT_TWO_ID)
+    {
+      memcpy (pInfo, &TEST_INFO_TWO, sizeof (*pInfo));
+      return CKR_OK;
+    }
+  else
+    {
+      g_return_val_if_reached (CKR_SLOT_ID_INVALID);
+    }
+}
+
+/* Update mock-pkcs11.h URIs when updating this */
+
+static const CK_TOKEN_INFO TEST_TOKEN_ONE = {
+  "TEST LABEL                      ",
+  "TEST MANUFACTURER               ",
+  "TEST MODEL      ",
+  "TEST SERIAL     ",
+  CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_CLOCK_ON_TOKEN | CKF_TOKEN_INITIALIZED,
+  1,
+  2,
+  3,
+  4,
+  5,
+  6,
+  7,
+  8,
+  9,
+  10,
+  { 75, 175 },
+  { 85, 185 },
+  { '1', '9', '9', '9', '0', '5', '2', '5', '0', '9', '1', '9', '5', '9', '0', '0' }
+};
+
+CK_RV
+mock_C_GetTokenInfo (CK_SLOT_ID slotID,
+                     CK_TOKEN_INFO_PTR pInfo)
+{
+  g_return_val_if_fail (pInfo != NULL, CKR_ARGUMENTS_BAD);
+
+  if (slotID == MOCK_SLOT_ONE_ID)
+    {
+      memcpy (pInfo, &TEST_TOKEN_ONE, sizeof (*pInfo));
+      return CKR_OK;
+    }
+  else if (slotID == MOCK_SLOT_TWO_ID)
+    {
+      return CKR_TOKEN_NOT_PRESENT;
+    }
+  else
+    {
+      g_return_val_if_reached (CKR_SLOT_ID_INVALID);
+    }
+}
+
+CK_RV
+mock_fail_C_GetTokenInfo (CK_SLOT_ID slotID,
+                          CK_TOKEN_INFO_PTR pInfo)
+{
+  return CKR_GENERAL_ERROR;
+}
+
+/*
+ * TWO mechanisms:
+ *  CKM_MOCK_CAPITALIZE
+ *  CKM_MOCK_PREFIX
+ */
+
+CK_RV
+mock_C_GetMechanismList (CK_SLOT_ID slotID,
+                         CK_MECHANISM_TYPE_PTR pMechanismList,
+                         CK_ULONG_PTR pulCount)
+{
+  g_return_val_if_fail (slotID == MOCK_SLOT_ONE_ID, CKR_SLOT_ID_INVALID);
+  g_return_val_if_fail (pulCount, CKR_ARGUMENTS_BAD);
+
+  /* Application only wants to know the number of slots. */
+  if (pMechanismList == NULL)
+    {
+      *pulCount = 0;
+      return CKR_OK;
+    }
+
+  return CKR_OK;
+}
+
+CK_RV
+mock_C_GetMechanismInfo (CK_SLOT_ID slotID,
+                         CK_MECHANISM_TYPE type,
+                         CK_MECHANISM_INFO_PTR pInfo)
+{
+  g_return_val_if_fail (slotID == MOCK_SLOT_ONE_ID, CKR_SLOT_ID_INVALID);
+  g_return_val_if_fail (pInfo, CKR_ARGUMENTS_BAD);
+
+  g_return_val_if_reached (CKR_MECHANISM_INVALID);
+}
+
+CK_RV
+mock_specific_args_C_InitToken (CK_SLOT_ID slotID,
+                                CK_UTF8CHAR_PTR pPin,
+                                CK_ULONG ulPinLen,
+                                CK_UTF8CHAR_PTR pLabel)
+{
+  g_return_val_if_fail (slotID == MOCK_SLOT_ONE_ID, CKR_SLOT_ID_INVALID);
+
+  g_return_val_if_fail (pPin, CKR_PIN_INVALID);
+  g_return_val_if_fail (strlen ("TEST PIN") == ulPinLen, CKR_PIN_INVALID);
+  g_return_val_if_fail (strncmp ((gchar *)pPin, "TEST PIN", ulPinLen) == 0, CKR_PIN_INVALID);
+  g_return_val_if_fail (pLabel != NULL, CKR_PIN_INVALID);
+  g_return_val_if_fail (strcmp ((gchar *)pPin, "TEST LABEL") == 0, CKR_PIN_INVALID);
+
+  g_free (the_pin);
+  the_pin = g_strndup ((gchar *)pPin, ulPinLen);
+  n_the_pin = ulPinLen;
+  return CKR_OK;
+}
+
+CK_RV
+mock_unsupported_C_WaitForSlotEvent (CK_FLAGS flags,
+                                     CK_SLOT_ID_PTR pSlot,
+                                     CK_VOID_PTR pReserved)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_C_OpenSession (CK_SLOT_ID slotID,
+                    CK_FLAGS flags,
+                    CK_VOID_PTR pApplication,
+                    CK_NOTIFY Notify,
+                    CK_SESSION_HANDLE_PTR phSession)
+{
+  Session *sess;
+
+  g_return_val_if_fail (slotID == MOCK_SLOT_ONE_ID || slotID == MOCK_SLOT_TWO_ID, CKR_SLOT_ID_INVALID);
+  g_return_val_if_fail (phSession != NULL, CKR_ARGUMENTS_BAD);
+  g_return_val_if_fail ((flags & CKF_SERIAL_SESSION) == CKF_SERIAL_SESSION, 
CKR_SESSION_PARALLEL_NOT_SUPPORTED);
+
+  if (slotID == MOCK_SLOT_TWO_ID)
+    return CKR_TOKEN_NOT_PRESENT;
+
+  sess = g_new0 (Session, 1);
+  sess->handle = ++unique_identifier;
+  sess->info.flags = flags;
+  sess->info.slotID = slotID;
+  sess->info.state = 0;
+  sess->info.ulDeviceError = 1414;
+  sess->objects = g_hash_table_new_full (g_direct_hash, g_direct_equal, NULL, 
(GDestroyNotify)g_pkcs11_array_unref);
+  *phSession = sess->handle;
+
+  g_hash_table_replace (the_sessions, GUINT_TO_POINTER (sess->handle), sess);
+  return CKR_OK;
+}
+
+CK_RV
+mock_fail_C_OpenSession (CK_SLOT_ID slotID,
+                         CK_FLAGS flags,
+                         CK_VOID_PTR pApplication,
+                         CK_NOTIFY Notify,
+                         CK_SESSION_HANDLE_PTR phSession)
+{
+  return CKR_GENERAL_ERROR;
+}
+
+CK_RV
+mock_C_CloseSession (CK_SESSION_HANDLE hSession)
+{
+  Session *session;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session, CKR_SESSION_HANDLE_INVALID);
+
+  g_hash_table_remove (the_sessions, GUINT_TO_POINTER (hSession));
+  return CKR_OK;
+}
+
+CK_RV
+mock_C_CloseAllSessions (CK_SLOT_ID slotID)
+{
+  g_return_val_if_fail (slotID == MOCK_SLOT_ONE_ID, CKR_SLOT_ID_INVALID);
+
+  g_hash_table_remove_all (the_sessions);
+  return CKR_OK;
+}
+
+CK_RV
+mock_C_GetFunctionStatus (CK_SESSION_HANDLE hSession)
+{
+  return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+CK_RV
+mock_C_CancelFunction (CK_SESSION_HANDLE hSession)
+{
+  return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+CK_RV
+mock_C_GetSessionInfo (CK_SESSION_HANDLE hSession,
+                       CK_SESSION_INFO_PTR pInfo)
+{
+  Session *session;
+
+  g_return_val_if_fail (pInfo != NULL, CKR_ARGUMENTS_BAD);
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_assert (session != NULL && "No such session found");
+  if (!session)
+    return CKR_SESSION_HANDLE_INVALID;
+
+  if (logged_in)
+    {
+      if (session->info.flags & CKF_RW_SESSION)
+        session->info.state = CKS_RW_USER_FUNCTIONS;
+      else
+        session->info.state = CKS_RO_USER_FUNCTIONS;
+    }
+  else
+    {
+      if (session->info.flags & CKF_RW_SESSION)
+        session->info.state = CKS_RW_PUBLIC_SESSION;
+      else
+        session->info.state = CKS_RO_PUBLIC_SESSION;
+    }
+
+  memcpy (pInfo, &session->info, sizeof (*pInfo));
+  return CKR_OK;
+}
+
+CK_RV
+mock_fail_C_GetSessionInfo (CK_SESSION_HANDLE hSession,
+                            CK_SESSION_INFO_PTR pInfo)
+{
+  return CKR_GENERAL_ERROR;
+}
+
+CK_RV
+mock_C_InitPIN (CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin,
+                    CK_ULONG ulPinLen)
+{
+  Session *session;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session, CKR_SESSION_HANDLE_INVALID);
+
+  g_free (the_pin);
+  the_pin = g_strndup ((gchar *)pPin, ulPinLen);
+  n_the_pin = ulPinLen;
+  return CKR_OK;
+}
+
+CK_RV
+mock_C_SetPIN (CK_SESSION_HANDLE hSession,
+               CK_UTF8CHAR_PTR pOldPin,
+               CK_ULONG ulOldLen,
+               CK_UTF8CHAR_PTR pNewPin,
+               CK_ULONG ulNewLen)
+{
+  Session *session;
+  gchar *old;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session, CKR_SESSION_HANDLE_INVALID);
+
+  old = g_strndup ((gchar *)pOldPin, ulOldLen);
+  if (!old || !g_str_equal (old, the_pin))
+    return CKR_PIN_INCORRECT;
+
+  g_free (the_pin);
+  the_pin = g_strndup ((gchar *)pNewPin, ulNewLen);
+  n_the_pin = ulNewLen;
+  return CKR_OK;
+}
+
+CK_RV
+mock_unsupported_C_GetOperationState (CK_SESSION_HANDLE hSession,
+                                      CK_BYTE_PTR pOperationState,
+                                      CK_ULONG_PTR pulOperationStateLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_SetOperationState (CK_SESSION_HANDLE hSession,
+                                      CK_BYTE_PTR pOperationState,
+                                      CK_ULONG ulOperationStateLen,
+                                      CK_OBJECT_HANDLE hEncryptionKey,
+                                      CK_OBJECT_HANDLE hAuthenticationKey)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_C_Login (CK_SESSION_HANDLE hSession,
+              CK_USER_TYPE userType,
+              CK_UTF8CHAR_PTR pPin,
+              CK_ULONG pPinLen)
+{
+  Session *session;
+
+  g_return_val_if_fail (userType == CKU_SO ||
+                        userType == CKU_USER ||
+                        userType == CKU_CONTEXT_SPECIFIC,
+                        CKR_USER_TYPE_INVALID);
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+  g_return_val_if_fail (logged_in == FALSE, CKR_USER_ALREADY_LOGGED_IN);
+
+  if (!pPin)
+    return CKR_PIN_INCORRECT;
+
+  if (pPinLen != strlen (the_pin))
+    return CKR_PIN_INCORRECT;
+  if (strncmp ((gchar *)pPin, the_pin, pPinLen) != 0)
+    return CKR_PIN_INCORRECT;
+
+  if (userType == CKU_CONTEXT_SPECIFIC)
+    {
+      g_return_val_if_fail (session->want_context_login == TRUE, CKR_OPERATION_NOT_INITIALIZED);
+      session->want_context_login = CK_FALSE;
+    }
+  else
+    {
+      logged_in = TRUE;
+      user_type = userType;
+    }
+
+  return CKR_OK;
+}
+
+CK_RV
+mock_C_Logout (CK_SESSION_HANDLE hSession)
+{
+  Session *session;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_assert (session != NULL && "No such session found");
+  if (!session)
+    return CKR_SESSION_HANDLE_INVALID;
+
+  g_assert (logged_in && "Not logged in");
+  logged_in = FALSE;
+  user_type = 0;
+  return CKR_OK;
+}
+
+CK_RV
+mock_C_CreateObject (CK_SESSION_HANDLE hSession,
+                     CK_ATTRIBUTE_PTR pTemplate,
+                     CK_ULONG ulCount,
+                     CK_OBJECT_HANDLE_PTR phObject)
+{
+  GPkcs11Array *attrs;
+  Session *session;
+  gboolean token, priv;
+  CK_ULONG i;
+
+  g_return_val_if_fail (phObject, CKR_ARGUMENTS_BAD);
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session, CKR_SESSION_HANDLE_INVALID);
+
+  attrs = g_pkcs11_array_new ();
+  for (i = 0; i < ulCount; ++i)
+    g_pkcs11_array_add_value (attrs, pTemplate[i].type, pTemplate[i].pValue, pTemplate[i].ulValueLen);
+
+  if (g_pkcs11_array_find_boolean (attrs, CKA_PRIVATE, &priv) && priv)
+    {
+      if (!logged_in)
+        {
+          g_pkcs11_array_unref (attrs);
+          return CKR_USER_NOT_LOGGED_IN;
+        }
+    }
+
+  *phObject = ++unique_identifier;
+  if (g_pkcs11_array_find_boolean (attrs, CKA_TOKEN, &token) && token)
+    g_hash_table_insert (the_objects, GUINT_TO_POINTER (*phObject), attrs);
+  else
+    g_hash_table_insert (session->objects, GUINT_TO_POINTER (*phObject), attrs);
+
+  return CKR_OK;
+}
+
+CK_RV
+mock_fail_C_CreateObject (CK_SESSION_HANDLE hSession,
+                          CK_ATTRIBUTE_PTR pTemplate,
+                          CK_ULONG ulCount,
+                          CK_OBJECT_HANDLE_PTR phObject)
+{
+  /* Always fails */
+  return CKR_FUNCTION_FAILED;
+}
+
+CK_RV
+mock_unsupported_C_CopyObject (CK_SESSION_HANDLE hSession,
+                               CK_OBJECT_HANDLE hObject,
+                               CK_ATTRIBUTE_PTR pTemplate,
+                               CK_ULONG ulCount,
+                               CK_OBJECT_HANDLE_PTR phNewObject)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_C_DestroyObject (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+  GPkcs11Array *attrs;
+  Session *session;
+  gboolean priv;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session, CKR_SESSION_HANDLE_INVALID);
+
+  attrs = lookup_object (session, hObject);
+  g_return_val_if_fail (attrs, CKR_OBJECT_HANDLE_INVALID);
+
+  if (g_pkcs11_array_find_boolean (attrs, CKA_PRIVATE, &priv) && priv)
+    {
+      if (!logged_in)
+        return CKR_USER_NOT_LOGGED_IN;
+    }
+
+  g_hash_table_remove (the_objects, GUINT_TO_POINTER (hObject));
+  g_hash_table_remove (session->objects, GUINT_TO_POINTER (hObject));
+
+  return CKR_OK;
+}
+
+CK_RV
+mock_unsupported_C_GetObjectSize (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                                      CK_ULONG_PTR pulSize)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_C_GetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                              CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+  CK_ATTRIBUTE_PTR result;
+  CK_RV ret = CKR_OK;
+  GPkcs11Array *attrs;
+  const CK_ATTRIBUTE *attr;
+  Session *session;
+  CK_ULONG i;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session, CKR_SESSION_HANDLE_INVALID);
+
+  attrs = lookup_object (session, hObject);
+  if (!attrs)
+    {
+      g_assert_not_reached (); /* "invalid object handle passed" */
+      return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+  for (i = 0; i < ulCount; ++i)
+    {
+      result = pTemplate + i;
+      attr = g_pkcs11_array_find (attrs, result->type);
+      if (!attr)
+        {
+          result->ulValueLen = (CK_ULONG)-1;
+          ret = CKR_ATTRIBUTE_TYPE_INVALID;
+          continue;
+        }
+
+      if (!result->pValue)
+        {
+          result->ulValueLen = attr->ulValueLen;
+          continue;
+        }
+
+      if (result->ulValueLen >= attr->ulValueLen)
+        {
+          memcpy (result->pValue, attr->pValue, attr->ulValueLen);
+          continue;
+        }
+
+      result->ulValueLen = (CK_ULONG)-1;
+      ret = CKR_BUFFER_TOO_SMALL;
+    }
+
+  return ret;
+}
+
+CK_RV
+mock_fail_C_GetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                                   CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+CK_RV
+mock_C_SetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                              CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+  Session *session;
+  GPkcs11Array *attrs;
+  CK_ULONG i;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session, CKR_SESSION_HANDLE_INVALID);
+
+  attrs = lookup_object (session, hObject);
+  g_return_val_if_fail (attrs, CKR_OBJECT_HANDLE_INVALID);
+
+  for (i = 0; i < ulCount; ++i)
+    g_pkcs11_array_set (attrs, pTemplate + i);
+
+  return CKR_OK;
+}
+
+typedef struct
+{
+  CK_ATTRIBUTE_PTR template;
+  CK_ULONG count;
+  Session *session;
+} FindObjects;
+
+static gboolean
+enumerate_and_find_objects (CK_OBJECT_HANDLE object,
+                            GPkcs11Array *attrs,
+                            gpointer user_data)
+{
+  FindObjects *ctx = user_data;
+  CK_ATTRIBUTE_PTR match;
+  const CK_ATTRIBUTE *attr;
+  CK_ULONG i;
+
+  for (i = 0; i < ctx->count; ++i)
+    {
+      match = ctx->template + i;
+      attr = g_pkcs11_array_find (attrs, match->type);
+      if (!attr)
+        return TRUE; /* Continue */
+
+      if (attr->ulValueLen != match->ulValueLen ||
+          memcmp (attr->pValue, match->pValue, attr->ulValueLen) != 0)
+        return TRUE; /* Continue */
+    }
+
+  ctx->session->matches = g_list_prepend (ctx->session->matches, GUINT_TO_POINTER (object));
+  return TRUE; /* Continue */
+}
+
+CK_RV
+mock_C_FindObjectsInit (CK_SESSION_HANDLE hSession,
+                        CK_ATTRIBUTE_PTR pTemplate,
+                        CK_ULONG ulCount)
+{
+  Session *session;
+  FindObjects ctx;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+
+  /* Starting an operation, cancels any previous one */
+  if (session->operation != 0)
+    session->operation = 0;
+
+  session->operation = OP_FIND;
+
+  ctx.template = pTemplate;
+  ctx.count = ulCount;
+  ctx.session = session;
+
+  mock_module_enumerate_objects (hSession, enumerate_and_find_objects, &ctx);
+  return CKR_OK;
+}
+
+CK_RV
+mock_fail_C_FindObjects (CK_SESSION_HANDLE hSession,
+                         CK_OBJECT_HANDLE_PTR phObject,
+                         CK_ULONG ulMaxObjectCount,
+                         CK_ULONG_PTR pulObjectCount)
+{
+  /* Always fails */
+  return CKR_FUNCTION_FAILED;
+}
+
+CK_RV
+mock_C_FindObjects (CK_SESSION_HANDLE hSession,
+                    CK_OBJECT_HANDLE_PTR phObject,
+                    CK_ULONG ulMaxObjectCount,
+                    CK_ULONG_PTR pulObjectCount)
+{
+  Session *session;
+
+  g_return_val_if_fail (phObject, CKR_ARGUMENTS_BAD);
+  g_return_val_if_fail (pulObjectCount, CKR_ARGUMENTS_BAD);
+  g_return_val_if_fail (ulMaxObjectCount != 0, CKR_ARGUMENTS_BAD);
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+  g_return_val_if_fail (session->operation == OP_FIND, CKR_OPERATION_NOT_INITIALIZED);
+
+  *pulObjectCount = 0;
+  while (ulMaxObjectCount > 0 && session->matches)
+    {
+      *phObject = GPOINTER_TO_UINT (session->matches->data);
+      ++phObject;
+      --ulMaxObjectCount;
+      ++(*pulObjectCount);
+      session->matches = g_list_remove (session->matches, session->matches->data);
+    }
+
+  return CKR_OK;
+}
+
+CK_RV
+mock_C_FindObjectsFinal (CK_SESSION_HANDLE hSession)
+{
+  Session *session;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+  g_return_val_if_fail (session->operation == OP_FIND, CKR_OPERATION_NOT_INITIALIZED);
+
+  session->operation = 0;
+  g_list_free (session->matches);
+  session->matches = NULL;
+
+  return CKR_OK;
+}
+
+CK_RV
+mock_no_mechanisms_C_EncryptInit (CK_SESSION_HANDLE hSession,
+                                  CK_MECHANISM_PTR pMechanism,
+                                  CK_OBJECT_HANDLE hKey)
+{
+  Session *session;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+
+  return CKR_MECHANISM_INVALID;
+}
+
+CK_RV
+mock_not_initialized_C_Encrypt (CK_SESSION_HANDLE hSession,
+                                CK_BYTE_PTR pData,
+                                CK_ULONG ulDataLen,
+                                CK_BYTE_PTR pEncryptedData,
+                                CK_ULONG_PTR pulEncryptedDataLen)
+{
+  return CKR_OPERATION_NOT_INITIALIZED;
+}
+
+CK_RV
+mock_unsupported_C_EncryptUpdate (CK_SESSION_HANDLE hSession,
+                                  CK_BYTE_PTR pPart,
+                                  CK_ULONG ulPartLen,
+                                  CK_BYTE_PTR pEncryptedPart,
+                                  CK_ULONG_PTR pulEncryptedPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_EncryptFinal (CK_SESSION_HANDLE hSession,
+                                 CK_BYTE_PTR pLastEncryptedPart,
+                                 CK_ULONG_PTR pulLastEncryptedPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_no_mechanisms_C_DecryptInit (CK_SESSION_HANDLE hSession,
+                                  CK_MECHANISM_PTR pMechanism,
+                                  CK_OBJECT_HANDLE hKey)
+{
+  Session *session;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+
+  return CKR_MECHANISM_INVALID;
+}
+
+CK_RV
+mock_not_initialized_C_Decrypt (CK_SESSION_HANDLE hSession,
+                                CK_BYTE_PTR pEncryptedData,
+                                CK_ULONG ulEncryptedDataLen,
+                                CK_BYTE_PTR pData,
+                                CK_ULONG_PTR pulDataLen)
+{
+  return CKR_OPERATION_NOT_INITIALIZED;
+}
+
+CK_RV
+mock_unsupported_C_DecryptUpdate (CK_SESSION_HANDLE hSession,
+                                  CK_BYTE_PTR pEncryptedPart,
+                                  CK_ULONG ulEncryptedPartLen,
+                                  CK_BYTE_PTR pPart,
+                                  CK_ULONG_PTR pulPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_DecryptFinal (CK_SESSION_HANDLE hSession,
+                                 CK_BYTE_PTR pLastPart,
+                                 CK_ULONG_PTR pulLastPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_DigestInit (CK_SESSION_HANDLE hSession,
+                               CK_MECHANISM_PTR pMechanism)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_Digest (CK_SESSION_HANDLE hSession,
+                           CK_BYTE_PTR pData,
+                           CK_ULONG ulDataLen,
+                           CK_BYTE_PTR pDigest,
+                           CK_ULONG_PTR pulDigestLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_DigestUpdate (CK_SESSION_HANDLE hSession,
+                                 CK_BYTE_PTR pPart,
+                                 CK_ULONG ulPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_DigestKey (CK_SESSION_HANDLE hSession,
+                              CK_OBJECT_HANDLE hKey)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_DigestFinal (CK_SESSION_HANDLE hSession,
+                                CK_BYTE_PTR pDigest,
+                                CK_ULONG_PTR pulDigestLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_no_mechanisms_C_SignInit (CK_SESSION_HANDLE hSession,
+                               CK_MECHANISM_PTR pMechanism,
+                               CK_OBJECT_HANDLE hKey)
+{
+  Session *session;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+
+  return CKR_MECHANISM_INVALID;
+}
+
+CK_RV
+mock_not_initialized_C_Sign (CK_SESSION_HANDLE hSession,
+                             CK_BYTE_PTR pData,
+                             CK_ULONG ulDataLen,
+                             CK_BYTE_PTR pSignature,
+                             CK_ULONG_PTR pulSignatureLen)
+{
+  return CKR_OPERATION_NOT_INITIALIZED;
+}
+
+CK_RV
+mock_unsupported_C_SignUpdate (CK_SESSION_HANDLE hSession,
+                               CK_BYTE_PTR pPart,
+                               CK_ULONG ulPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_SignFinal (CK_SESSION_HANDLE hSession,
+                              CK_BYTE_PTR pSignature,
+                              CK_ULONG_PTR pulSignatureLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_SignRecoverInit (CK_SESSION_HANDLE hSession,
+                                    CK_MECHANISM_PTR pMechanism,
+                                    CK_OBJECT_HANDLE hKey)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_SignRecover (CK_SESSION_HANDLE hSession,
+                                CK_BYTE_PTR pData,
+                                CK_ULONG ulDataLen,
+                                CK_BYTE_PTR pSignature,
+                                CK_ULONG_PTR pulSignatureLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_no_mechanisms_C_VerifyInit (CK_SESSION_HANDLE hSession,
+                                 CK_MECHANISM_PTR pMechanism,
+                                 CK_OBJECT_HANDLE hKey)
+{
+  Session *session;
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+
+  return CKR_MECHANISM_INVALID;
+}
+
+CK_RV
+mock_not_initialized_C_Verify (CK_SESSION_HANDLE hSession,
+                               CK_BYTE_PTR pData,
+                               CK_ULONG ulDataLen,
+                               CK_BYTE_PTR pSignature,
+                               CK_ULONG ulSignatureLen)
+{
+  return CKR_OPERATION_NOT_INITIALIZED;
+}
+
+CK_RV
+mock_unsupported_C_VerifyUpdate (CK_SESSION_HANDLE hSession,
+                                 CK_BYTE_PTR pPart,
+                                 CK_ULONG ulPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_VerifyFinal (CK_SESSION_HANDLE hSession,
+                                CK_BYTE_PTR pSignature,
+                                CK_ULONG pulSignatureLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_VerifyRecoverInit (CK_SESSION_HANDLE hSession,
+                                      CK_MECHANISM_PTR pMechanism,
+                                      CK_OBJECT_HANDLE hKey)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_VerifyRecover (CK_SESSION_HANDLE hSession,
+                                  CK_BYTE_PTR pSignature,
+                                  CK_ULONG pulSignatureLen,
+                                  CK_BYTE_PTR pData,
+                                  CK_ULONG_PTR pulDataLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_DigestEncryptUpdate (CK_SESSION_HANDLE hSession,
+                                        CK_BYTE_PTR pPart,
+                                        CK_ULONG ulPartLen,
+                                        CK_BYTE_PTR pEncryptedPart,
+                                        CK_ULONG_PTR ulEncryptedPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_DecryptDigestUpdate (CK_SESSION_HANDLE hSession,
+                                        CK_BYTE_PTR pEncryptedPart,
+                                        CK_ULONG ulEncryptedPartLen,
+                                        CK_BYTE_PTR pPart,
+                                        CK_ULONG_PTR pulPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_SignEncryptUpdate (CK_SESSION_HANDLE hSession,
+                                      CK_BYTE_PTR pPart,
+                                      CK_ULONG ulPartLen,
+                                      CK_BYTE_PTR pEncryptedPart,
+                                      CK_ULONG_PTR ulEncryptedPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_DecryptVerifyUpdate (CK_SESSION_HANDLE hSession,
+                                        CK_BYTE_PTR pEncryptedPart,
+                                        CK_ULONG ulEncryptedPartLen,
+                                        CK_BYTE_PTR pPart,
+                                        CK_ULONG_PTR pulPartLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_GenerateKey (CK_SESSION_HANDLE hSession,
+                                CK_MECHANISM_PTR pMechanism,
+                                CK_ATTRIBUTE_PTR pTemplate,
+                                CK_ULONG ulCount,
+                                CK_OBJECT_HANDLE_PTR phKey)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_no_mechanisms_C_GenerateKeyPair (CK_SESSION_HANDLE hSession,
+                                      CK_MECHANISM_PTR pMechanism,
+                                      CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+                                      CK_ULONG ulPublicKeyAttributeCount,
+                                      CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+                                      CK_ULONG ulPrivateKeyAttributeCount,
+                                      CK_OBJECT_HANDLE_PTR phPublicKey,
+                                      CK_OBJECT_HANDLE_PTR phPrivateKey)
+{
+  Session *session;
+
+  g_return_val_if_fail (pMechanism, CKR_MECHANISM_INVALID);
+  g_return_val_if_fail (pPublicKeyTemplate, CKR_TEMPLATE_INCOMPLETE);
+  g_return_val_if_fail (ulPublicKeyAttributeCount, CKR_TEMPLATE_INCOMPLETE);
+  g_return_val_if_fail (pPrivateKeyTemplate, CKR_TEMPLATE_INCOMPLETE);
+  g_return_val_if_fail (ulPrivateKeyAttributeCount, CKR_TEMPLATE_INCOMPLETE);
+  g_return_val_if_fail (phPublicKey, CKR_ARGUMENTS_BAD);
+  g_return_val_if_fail (phPrivateKey, CKR_ARGUMENTS_BAD);
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+
+  return CKR_MECHANISM_INVALID;
+}
+
+CK_RV
+mock_no_mechanisms_C_WrapKey (CK_SESSION_HANDLE hSession,
+                              CK_MECHANISM_PTR pMechanism,
+                              CK_OBJECT_HANDLE hWrappingKey,
+                              CK_OBJECT_HANDLE hKey,
+                              CK_BYTE_PTR pWrappedKey,
+                              CK_ULONG_PTR pulWrappedKeyLen)
+{
+  Session *session;
+
+  g_return_val_if_fail (pMechanism, CKR_MECHANISM_INVALID);
+  g_return_val_if_fail (hWrappingKey, CKR_OBJECT_HANDLE_INVALID);
+  g_return_val_if_fail (hKey, CKR_OBJECT_HANDLE_INVALID);
+  g_return_val_if_fail (pulWrappedKeyLen, CKR_WRAPPED_KEY_LEN_RANGE);
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+
+  return CKR_MECHANISM_INVALID;
+}
+
+CK_RV
+mock_no_mechanisms_C_UnwrapKey (CK_SESSION_HANDLE hSession,
+                                CK_MECHANISM_PTR pMechanism,
+                                CK_OBJECT_HANDLE hUnwrappingKey,
+                                CK_BYTE_PTR pWrappedKey,
+                                CK_ULONG ulWrappedKeyLen,
+                                CK_ATTRIBUTE_PTR pTemplate,
+                                CK_ULONG ulCount,
+                                CK_OBJECT_HANDLE_PTR phKey)
+{
+  Session *session;
+
+  g_return_val_if_fail (pMechanism, CKR_MECHANISM_INVALID);
+  g_return_val_if_fail (hUnwrappingKey, CKR_WRAPPING_KEY_HANDLE_INVALID);
+  g_return_val_if_fail (pWrappedKey, CKR_WRAPPED_KEY_INVALID);
+  g_return_val_if_fail (ulWrappedKeyLen, CKR_WRAPPED_KEY_LEN_RANGE);
+  g_return_val_if_fail (phKey, CKR_ARGUMENTS_BAD);
+  g_return_val_if_fail (pTemplate, CKR_TEMPLATE_INCOMPLETE);
+  g_return_val_if_fail (ulCount, CKR_TEMPLATE_INCONSISTENT);
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session != NULL, CKR_SESSION_HANDLE_INVALID);
+
+  return CKR_MECHANISM_INVALID;
+}
+
+CK_RV
+mock_no_mechanisms_C_DeriveKey (CK_SESSION_HANDLE hSession,
+                                CK_MECHANISM_PTR pMechanism,
+                                CK_OBJECT_HANDLE hBaseKey,
+                                CK_ATTRIBUTE_PTR pTemplate,
+                                CK_ULONG ulCount,
+                                CK_OBJECT_HANDLE_PTR phKey)
+{
+  Session *session;
+
+  g_return_val_if_fail (pMechanism, CKR_MECHANISM_INVALID);
+  g_return_val_if_fail (ulCount, CKR_TEMPLATE_INCOMPLETE);
+  g_return_val_if_fail (pTemplate, CKR_TEMPLATE_INCOMPLETE);
+  g_return_val_if_fail (phKey, CKR_ARGUMENTS_BAD);
+
+  session = g_hash_table_lookup (the_sessions, GUINT_TO_POINTER (hSession));
+  g_return_val_if_fail (session, CKR_SESSION_HANDLE_INVALID);
+
+  return CKR_MECHANISM_INVALID;
+}
+
+CK_RV
+mock_unsupported_C_SeedRandom (CK_SESSION_HANDLE hSession,
+                               CK_BYTE_PTR pSeed,
+                               CK_ULONG ulSeedLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+mock_unsupported_C_GenerateRandom (CK_SESSION_HANDLE hSession,
+                                   CK_BYTE_PTR pRandomData,
+                                   CK_ULONG ulRandomLen)
+{
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_FUNCTION_LIST mock_default_functions = {
+  { 2, 11 },        /* version */
+  mock_validate_and_C_Initialize,
+  mock_C_Finalize,
+  mock_C_GetInfo,
+  mock_C_GetFunctionList,
+  mock_C_GetSlotList,
+  mock_C_GetSlotInfo,
+  mock_C_GetTokenInfo,
+  mock_C_GetMechanismList,
+  mock_C_GetMechanismInfo,
+  mock_specific_args_C_InitToken,
+  mock_C_InitPIN,
+  mock_C_SetPIN,
+  mock_C_OpenSession,
+  mock_C_CloseSession,
+  mock_C_CloseAllSessions,
+  mock_C_GetSessionInfo,
+  mock_unsupported_C_GetOperationState,
+  mock_unsupported_C_SetOperationState,
+  mock_C_Login,
+  mock_C_Logout,
+  mock_C_CreateObject,
+  mock_unsupported_C_CopyObject,
+  mock_C_DestroyObject,
+  mock_unsupported_C_GetObjectSize,
+  mock_C_GetAttributeValue,
+  mock_C_SetAttributeValue,
+  mock_C_FindObjectsInit,
+  mock_C_FindObjects,
+  mock_C_FindObjectsFinal,
+  mock_no_mechanisms_C_EncryptInit,
+  mock_not_initialized_C_Encrypt,
+  mock_unsupported_C_EncryptUpdate,
+  mock_unsupported_C_EncryptFinal,
+  mock_no_mechanisms_C_DecryptInit,
+  mock_not_initialized_C_Decrypt,
+  mock_unsupported_C_DecryptUpdate,
+  mock_unsupported_C_DecryptFinal,
+  mock_unsupported_C_DigestInit,
+  mock_unsupported_C_Digest,
+  mock_unsupported_C_DigestUpdate,
+  mock_unsupported_C_DigestKey,
+  mock_unsupported_C_DigestFinal,
+  mock_no_mechanisms_C_SignInit,
+  mock_not_initialized_C_Sign,
+  mock_unsupported_C_SignUpdate,
+  mock_unsupported_C_SignFinal,
+  mock_unsupported_C_SignRecoverInit,
+  mock_unsupported_C_SignRecover,
+  mock_no_mechanisms_C_VerifyInit,
+  mock_not_initialized_C_Verify,
+  mock_unsupported_C_VerifyUpdate,
+  mock_unsupported_C_VerifyFinal,
+  mock_unsupported_C_VerifyRecoverInit,
+  mock_unsupported_C_VerifyRecover,
+  mock_unsupported_C_DigestEncryptUpdate,
+  mock_unsupported_C_DecryptDigestUpdate,
+  mock_unsupported_C_SignEncryptUpdate,
+  mock_unsupported_C_DecryptVerifyUpdate,
+  mock_unsupported_C_GenerateKey,
+  mock_no_mechanisms_C_GenerateKeyPair,
+  mock_no_mechanisms_C_WrapKey,
+  mock_no_mechanisms_C_UnwrapKey,
+  mock_no_mechanisms_C_DeriveKey,
+  mock_unsupported_C_SeedRandom,
+  mock_unsupported_C_GenerateRandom,
+  mock_C_GetFunctionStatus,
+  mock_C_CancelFunction,
+  mock_unsupported_C_WaitForSlotEvent
+};
diff --git a/tls/tests/mock-pkcs11.h b/tls/tests/mock-pkcs11.h
new file mode 100644
index 0000000..a6bfa27
--- /dev/null
+++ b/tls/tests/mock-pkcs11.h
@@ -0,0 +1,396 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * Copyright (C) 2010 Stefan Walter
+ * Copyright (C) 2011 Collabora Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ */
+
+#include <glib.h>
+
+#include <p11-kit/pkcs11.h>
+
+#include "pkcs11/gpkcs11array.h"
+
+#ifndef MOCK_MODULE_H
+#define MOCK_MODULE_H
+
+extern CK_FUNCTION_LIST mock_default_functions;
+
+CK_RV               mock_C_Initialize                          (CK_VOID_PTR pInitArgs);
+
+CK_RV               mock_validate_and_C_Initialize             (CK_VOID_PTR pInitArgs);
+
+CK_RV               mock_C_Finalize                            (CK_VOID_PTR pReserved);
+
+CK_RV               mock_C_GetInfo                             (CK_INFO_PTR pInfo);
+
+CK_RV               mock_C_GetFunctionList                     (CK_FUNCTION_LIST_PTR_PTR list);
+
+CK_RV               mock_C_GetSlotList                         (CK_BBOOL tokenPresent,
+                                                                CK_SLOT_ID_PTR pSlotList,
+                                                                CK_ULONG_PTR pulCount);
+
+CK_RV               mock_C_GetSlotInfo                         (CK_SLOT_ID slotID,
+                                                                CK_SLOT_INFO_PTR pInfo);
+
+CK_RV               mock_C_GetTokenInfo                        (CK_SLOT_ID slotID,
+                                                                CK_TOKEN_INFO_PTR pInfo);
+
+CK_RV               mock_fail_C_GetTokenInfo                   (CK_SLOT_ID slotID,
+                                                                CK_TOKEN_INFO_PTR pInfo);
+
+CK_RV               mock_C_GetMechanismList                    (CK_SLOT_ID slotID,
+                                                                CK_MECHANISM_TYPE_PTR pMechanismList,
+                                                                CK_ULONG_PTR pulCount);
+
+CK_RV               mock_C_GetMechanismInfo                    (CK_SLOT_ID slotID,
+                                                                CK_MECHANISM_TYPE type,
+                                                                CK_MECHANISM_INFO_PTR pInfo);
+
+CK_RV               mock_specific_args_C_InitToken             (CK_SLOT_ID slotID,
+                                                                CK_UTF8CHAR_PTR pPin,
+                                                                CK_ULONG ulPinLen,
+                                                                CK_UTF8CHAR_PTR pLabel);
+
+CK_RV               mock_unsupported_C_WaitForSlotEvent        (CK_FLAGS flags,
+                                                                CK_SLOT_ID_PTR pSlot,
+                                                                CK_VOID_PTR pReserved);
+
+CK_RV               mock_C_OpenSession                         (CK_SLOT_ID slotID,
+                                                                CK_FLAGS flags,
+                                                                CK_VOID_PTR pApplication,
+                                                                CK_NOTIFY Notify,
+                                                                CK_SESSION_HANDLE_PTR phSession);
+
+CK_RV               mock_fail_C_OpenSession                    (CK_SLOT_ID slotID,
+                                                                CK_FLAGS flags,
+                                                                CK_VOID_PTR pApplication,
+                                                                CK_NOTIFY Notify,
+                                                                CK_SESSION_HANDLE_PTR phSession);
+
+CK_RV               mock_C_CloseSession                        (CK_SESSION_HANDLE hSession);
+
+CK_RV               mock_C_CloseAllSessions                    (CK_SLOT_ID slotID);
+
+CK_RV               mock_C_GetFunctionStatus                   (CK_SESSION_HANDLE hSession);
+
+CK_RV               mock_C_CancelFunction                      (CK_SESSION_HANDLE hSession);
+
+CK_RV               mock_C_GetSessionInfo                      (CK_SESSION_HANDLE hSession,
+                                                                CK_SESSION_INFO_PTR pInfo);
+
+CK_RV               mock_fail_C_GetSessionInfo                 (CK_SESSION_HANDLE hSession,
+                                                                CK_SESSION_INFO_PTR pInfo);
+
+CK_RV               mock_C_InitPIN                             (CK_SESSION_HANDLE hSession,
+                                                                CK_UTF8CHAR_PTR pPin,
+                                                                CK_ULONG ulPinLen);
+
+CK_RV               mock_C_SetPIN                              (CK_SESSION_HANDLE hSession,
+                                                                CK_UTF8CHAR_PTR pOldPin,
+                                                                CK_ULONG ulOldLen,
+                                                                CK_UTF8CHAR_PTR pNewPin,
+                                                                CK_ULONG ulNewLen);
+
+CK_RV               mock_unsupported_C_GetOperationState       (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pOperationState,
+                                                                CK_ULONG_PTR pulOperationStateLen);
+
+CK_RV               mock_unsupported_C_SetOperationState       (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pOperationState,
+                                                                CK_ULONG ulOperationStateLen,
+                                                                CK_OBJECT_HANDLE hEncryptionKey,
+                                                                CK_OBJECT_HANDLE hAuthenticationKey);
+
+CK_RV               mock_C_Login                               (CK_SESSION_HANDLE hSession,
+                                                                CK_USER_TYPE userType,
+                                                                CK_UTF8CHAR_PTR pPin,
+                                                                CK_ULONG pPinLen);
+
+CK_RV               mock_C_Logout                              (CK_SESSION_HANDLE hSession);
+
+CK_RV               mock_C_CreateObject                        (CK_SESSION_HANDLE hSession,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount,
+                                                                CK_OBJECT_HANDLE_PTR phObject);
+
+CK_RV               mock_fail_C_CreateObject                   (CK_SESSION_HANDLE hSession,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount,
+                                                                CK_OBJECT_HANDLE_PTR phObject);
+
+CK_RV               mock_unsupported_C_CopyObject              (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE hObject,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount,
+                                                                CK_OBJECT_HANDLE_PTR phNewObject);
+
+CK_RV               mock_C_DestroyObject                       (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE hObject);
+
+CK_RV               mock_unsupported_C_GetObjectSize           (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE hObject,
+                                                                CK_ULONG_PTR pulSize);
+
+CK_RV               mock_C_GetAttributeValue                   (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE hObject,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount);
+
+CK_RV               mock_fail_C_GetAttributeValue              (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE hObject,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount);
+
+CK_RV               mock_C_SetAttributeValue                   (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE hObject,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount);
+
+CK_RV               mock_C_FindObjectsInit                     (CK_SESSION_HANDLE hSession,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount);
+
+CK_RV               mock_C_FindObjects                         (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE_PTR phObject,
+                                                                CK_ULONG ulMaxObjectCount,
+                                                                CK_ULONG_PTR pulObjectCount);
+
+CK_RV               mock_fail_C_FindObjects                    (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE_PTR phObject,
+                                                                CK_ULONG ulMaxObjectCount,
+                                                                CK_ULONG_PTR pulObjectCount);
+
+CK_RV               mock_C_FindObjectsFinal                    (CK_SESSION_HANDLE hSession);
+
+CK_RV               mock_no_mechanisms_C_EncryptInit           (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE hKey);
+
+CK_RV               mock_not_initialized_C_Encrypt             (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pData,
+                                                                CK_ULONG ulDataLen,
+                                                                CK_BYTE_PTR pEncryptedData,
+                                                                CK_ULONG_PTR pulEncryptedDataLen);
+
+CK_RV               mock_unsupported_C_EncryptUpdate           (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG ulPartLen,
+                                                                CK_BYTE_PTR pEncryptedPart,
+                                                                CK_ULONG_PTR pulEncryptedPartLen);
+
+CK_RV               mock_unsupported_C_EncryptFinal            (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pLastEncryptedPart,
+                                                                CK_ULONG_PTR pulLastEncryptedPartLen);
+
+CK_RV               mock_no_mechanisms_C_DecryptInit           (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE hKey);
+
+CK_RV               mock_not_initialized_C_Decrypt             (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pEncryptedData,
+                                                                CK_ULONG ulEncryptedDataLen,
+                                                                CK_BYTE_PTR pData,
+                                                                CK_ULONG_PTR pulDataLen);
+
+CK_RV               mock_unsupported_C_DecryptUpdate           (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pEncryptedPart,
+                                                                CK_ULONG ulEncryptedPartLen,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG_PTR pulPartLen);
+
+CK_RV               mock_unsupported_C_DecryptFinal            (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pLastPart,
+                                                                CK_ULONG_PTR pulLastPartLen);
+
+CK_RV               mock_unsupported_C_DigestInit              (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism);
+
+CK_RV               mock_unsupported_C_Digest                  (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pData,
+                                                                CK_ULONG ulDataLen,
+                                                                CK_BYTE_PTR pDigest,
+                                                                CK_ULONG_PTR pulDigestLen);
+
+CK_RV               mock_unsupported_C_DigestUpdate            (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG ulPartLen);
+
+CK_RV               mock_unsupported_C_DigestKey               (CK_SESSION_HANDLE hSession,
+                                                                CK_OBJECT_HANDLE hKey);
+
+CK_RV               mock_unsupported_C_DigestFinal             (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pDigest,
+                                                                CK_ULONG_PTR pulDigestLen);
+
+CK_RV               mock_no_mechanisms_C_SignInit              (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE hKey);
+
+CK_RV               mock_not_initialized_C_Sign                (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pData,
+                                                                CK_ULONG ulDataLen,
+                                                                CK_BYTE_PTR pSignature,
+                                                                CK_ULONG_PTR pulSignatureLen);
+
+CK_RV               mock_unsupported_C_SignUpdate              (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG ulPartLen);
+
+CK_RV               mock_unsupported_C_SignFinal               (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pSignature,
+                                                                CK_ULONG_PTR pulSignatureLen);
+
+CK_RV               mock_unsupported_C_SignRecoverInit         (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE hKey);
+
+CK_RV               mock_unsupported_C_SignRecover             (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pData,
+                                                                CK_ULONG ulDataLen,
+                                                                CK_BYTE_PTR pSignature,
+                                                                CK_ULONG_PTR pulSignatureLen);
+
+CK_RV               mock_no_mechanisms_C_VerifyInit            (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE hKey);
+
+CK_RV               mock_not_initialized_C_Verify              (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pData,
+                                                                CK_ULONG ulDataLen,
+                                                                CK_BYTE_PTR pSignature,
+                                                                CK_ULONG ulSignatureLen);
+
+CK_RV               mock_unsupported_C_VerifyUpdate            (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG ulPartLen);
+
+CK_RV               mock_unsupported_C_VerifyFinal             (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pSignature,
+                                                                CK_ULONG pulSignatureLen);
+
+CK_RV               mock_unsupported_C_VerifyRecoverInit       (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE hKey);
+
+CK_RV               mock_unsupported_C_VerifyRecover           (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pSignature,
+                                                                CK_ULONG pulSignatureLen,
+                                                                CK_BYTE_PTR pData,
+                                                                CK_ULONG_PTR pulDataLen);
+
+CK_RV               mock_unsupported_C_DigestEncryptUpdate     (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG ulPartLen,
+                                                                CK_BYTE_PTR pEncryptedPart,
+                                                                CK_ULONG_PTR ulEncryptedPartLen);
+
+CK_RV               mock_unsupported_C_DecryptDigestUpdate     (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pEncryptedPart,
+                                                                CK_ULONG ulEncryptedPartLen,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG_PTR pulPartLen);
+
+CK_RV               mock_unsupported_C_SignEncryptUpdate       (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG ulPartLen,
+                                                                CK_BYTE_PTR pEncryptedPart,
+                                                                CK_ULONG_PTR ulEncryptedPartLen);
+
+CK_RV               mock_unsupported_C_DecryptVerifyUpdate     (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pEncryptedPart,
+                                                                CK_ULONG ulEncryptedPartLen,
+                                                                CK_BYTE_PTR pPart,
+                                                                CK_ULONG_PTR pulPartLen);
+
+CK_RV               mock_unsupported_C_GenerateKey             (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount,
+                                                                CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV               mock_no_mechanisms_C_GenerateKeyPair         (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+                                                                CK_ULONG ulPublicKeyAttributeCount,
+                                                                CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+                                                                CK_ULONG ulPrivateKeyAttributeCount,
+                                                                CK_OBJECT_HANDLE_PTR phPublicKey,
+                                                                CK_OBJECT_HANDLE_PTR phPrivateKey);
+
+CK_RV               mock_no_mechanisms_C_WrapKey                 (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE hWrappingKey,
+                                                                CK_OBJECT_HANDLE hKey,
+                                                                CK_BYTE_PTR pWrappedKey,
+                                                                CK_ULONG_PTR pulWrappedKeyLen);
+
+CK_RV               mock_no_mechanisms_C_UnwrapKey               (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE pUnwrappingKey,
+                                                                CK_BYTE_PTR pWrappedKey,
+                                                                CK_ULONG pulWrappedKeyLen,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount,
+                                                                CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV               mock_no_mechanisms_C_DeriveKey               (CK_SESSION_HANDLE hSession,
+                                                                CK_MECHANISM_PTR pMechanism,
+                                                                CK_OBJECT_HANDLE hBaseKey,
+                                                                CK_ATTRIBUTE_PTR pTemplate,
+                                                                CK_ULONG ulCount,
+                                                                CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV               mock_unsupported_C_SeedRandom              (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pSeed,
+                                                                CK_ULONG ulSeedLen);
+
+CK_RV               mock_unsupported_C_GenerateRandom          (CK_SESSION_HANDLE hSession,
+                                                                CK_BYTE_PTR pRandomData,
+                                                                CK_ULONG ulRandomLen);
+
+CK_OBJECT_HANDLE    mock_module_find_object                    (CK_SESSION_HANDLE session,
+                                                                CK_ATTRIBUTE_PTR attrs,
+                                                                CK_ULONG n_attrs);
+
+guint               mock_module_count_objects                  (CK_SESSION_HANDLE session);
+
+typedef gboolean    (*MockEnumerator)                          (CK_OBJECT_HANDLE handle,
+                                                                GPkcs11Array *attrs,
+                                                                gpointer user_data);
+
+void                mock_module_enumerate_objects              (CK_SESSION_HANDLE session,
+                                                                MockEnumerator func,
+                                                                gpointer user_data);
+
+CK_OBJECT_HANDLE    mock_module_take_object                    (GPkcs11Array *attrs);
+
+void                mock_module_set_object                     (CK_OBJECT_HANDLE object,
+                                                                CK_ATTRIBUTE_PTR attrs,
+                                                                CK_ULONG n_attrs);
+
+void                mock_module_set_pin                        (const gchar *password);
+
+#define MOCK_SLOT_ONE_ID  52
+#define MOCK_SLOT_TWO_ID  134
+
+#define MOCK_SLOT_ONE_PIN "booo"
+#define MOCK_SLOT_ONE_URI "pkcs11:manufacturer=TEST%20MANUFACTURER;serial=TEST%20SERIAL"
+
+#endif /* MOCK_MODULE_H */
diff --git a/tls/tests/pkcs11-array.c b/tls/tests/pkcs11-array.c
new file mode 100644
index 0000000..c3c512d
--- /dev/null
+++ b/tls/tests/pkcs11-array.c
@@ -0,0 +1,288 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO TLS tests
+ *
+ * Copyright (C) 2011 Collabora, Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include <gio/gio.h>
+
+#include <sys/types.h>
+#include <string.h>
+
+#include "pkcs11/gpkcs11array.h"
+
+typedef struct {
+  GPkcs11Array *array;
+} TestArray;
+
+static void
+setup_array (TestArray          *test,
+             gconstpointer       unused)
+{
+  test->array = g_pkcs11_array_new ();
+  g_assert (test->array);
+}
+
+static void
+teardown_array (TestArray       *test,
+                gconstpointer    unused)
+{
+  g_pkcs11_array_unref (test->array);
+}
+
+static void
+test_add_find (TestArray      *test,
+               gconstpointer   data)
+{
+  CK_ATTRIBUTE attr;
+  const CK_ATTRIBUTE *check;
+  const gchar *value = "test";
+
+  attr.type = CKA_LABEL;
+  attr.ulValueLen = strlen (value) + 1;
+  attr.pValue = (gpointer)value;
+  g_pkcs11_array_add (test->array, &attr);
+  memset (&attr, 0, sizeof (attr));
+
+  check = g_pkcs11_array_find (test->array, CKA_LABEL);
+  g_assert (check != NULL);
+  g_assert_cmpuint ((guint)check->ulValueLen, ==, strlen (value) + 1);
+  g_assert_cmpstr (check->pValue, ==, value);
+  g_assert (check->pValue != value);
+
+  /* Should be copied properly, and be independent from stack value */
+  g_assert (check != &attr);
+
+  check = g_pkcs11_array_find (test->array, CKA_ID);
+  g_assert (check == NULL);
+  g_assert_cmpuint (test->array->count, ==, 1);
+
+  /* Adding a second value of same type, should add a duplicate */
+  attr.type = CKA_LABEL;
+  attr.ulValueLen = 3;
+  attr.pValue = "bye";
+  g_pkcs11_array_add (test->array, &attr);
+  g_assert_cmpuint (test->array->count, ==, 2);
+}
+
+static void
+test_set_find (TestArray      *test,
+               gconstpointer   data)
+{
+  CK_ATTRIBUTE attr;
+  const CK_ATTRIBUTE *check;
+  const gchar *value = "test";
+
+  attr.type = CKA_LABEL;
+  attr.ulValueLen = strlen (value) + 1;
+  attr.pValue = (gpointer)value;
+  g_pkcs11_array_set (test->array, &attr);
+  memset (&attr, 0, sizeof (attr));
+
+  check = g_pkcs11_array_find (test->array, CKA_LABEL);
+  g_assert (check != NULL);
+  g_assert_cmpuint ((guint)check->ulValueLen, ==, strlen (value) + 1);
+  g_assert_cmpstr (check->pValue, ==, value);
+  g_assert (check->pValue != value);
+
+  /* Should be copied properly, and be independent from stack value */
+  g_assert (check != &attr);
+
+  /* Adding a second value of same type should override */
+  attr.type = CKA_LABEL;
+  attr.ulValueLen = 3;
+  attr.pValue = "bye";
+  g_pkcs11_array_set (test->array, &attr);
+  g_assert_cmpuint (test->array->count, ==, 1);
+}
+
+static void
+test_value (TestArray      *test,
+            gconstpointer   data)
+{
+  const CK_ATTRIBUTE *check;
+  const gchar *value = "test";
+
+  /* Add with null termiator */
+  g_pkcs11_array_add_value (test->array, CKA_LABEL, value, -1);
+  check = g_pkcs11_array_find (test->array, CKA_LABEL);
+  g_assert (check != NULL);
+  g_assert_cmpuint ((guint)check->ulValueLen, ==, strlen (value));
+  g_assert (memcmp (check->pValue, value, check->ulValueLen) == 0);
+  g_assert (check->pValue != value);
+
+  /* Add with value length */
+  g_pkcs11_array_add_value (test->array, CKA_ID, value, 3);
+  check = g_pkcs11_array_find (test->array, CKA_ID);
+  g_assert (check != NULL);
+  g_assert_cmpuint ((guint)check->ulValueLen, ==, 3);
+  g_assert (memcmp (check->pValue, value, check->ulValueLen) == 0);
+  g_assert (check->pValue != value);
+  g_assert_cmpuint (test->array->count, ==, 2);
+
+  /* Set should override */
+  g_pkcs11_array_set_value (test->array, CKA_LABEL, "boring", 6);
+  check = g_pkcs11_array_find (test->array, CKA_LABEL);
+  g_assert (check != NULL);
+  g_assert_cmpuint ((guint)check->ulValueLen, ==, 6);
+  g_assert (memcmp (check->pValue, "boring", check->ulValueLen) == 0);
+  g_assert_cmpuint (test->array->count, ==, 2);
+
+  /* Override with calculated length */
+  g_pkcs11_array_set_value (test->array, CKA_LABEL, "boring", -1);
+  check = g_pkcs11_array_find (test->array, CKA_LABEL);
+  g_assert (check != NULL);
+  g_assert_cmpuint ((guint)check->ulValueLen, ==, 6);
+  g_assert (memcmp (check->pValue, "boring", check->ulValueLen) == 0);
+  g_assert_cmpuint (test->array->count, ==, 2);
+
+}
+
+static void
+test_boolean (TestArray      *test,
+              gconstpointer   data)
+{
+  const CK_ATTRIBUTE *check;
+  gboolean bval = FALSE;
+
+  g_pkcs11_array_add_boolean (test->array, CKA_TOKEN, TRUE);
+  if (!g_pkcs11_array_find_boolean (test->array, CKA_TOKEN, &bval))
+    g_assert_not_reached ();
+  g_assert (bval == TRUE);
+
+  /* Check that it's actually formatted right */
+  check = g_pkcs11_array_find (test->array, CKA_TOKEN);
+  g_assert (check != NULL);
+  g_assert_cmpuint (check->ulValueLen, ==, sizeof (CK_BBOOL));
+  g_assert (check->pValue != NULL);
+  g_assert (*((CK_BBOOL*)check->pValue) == CK_TRUE);
+
+  /* Check FALSE */
+  g_pkcs11_array_add_boolean (test->array, CKA_ENCRYPT, FALSE);
+
+  /* Check that it's actually formatted right */
+  check = g_pkcs11_array_find (test->array, CKA_ENCRYPT);
+  g_assert (check != NULL);
+  g_assert_cmpuint (check->ulValueLen, ==, sizeof (CK_BBOOL));
+  g_assert (check->pValue != NULL);
+  g_assert (*((CK_BBOOL*)check->pValue) == CK_FALSE);
+  g_assert_cmpuint (test->array->count, ==, 2);
+
+  /* Add a non boolean value */
+  g_pkcs11_array_add_value (test->array, CKA_LABEL, "label", -1);
+
+  /* Shouldn't work to find boolean on that */
+  if (g_pkcs11_array_find_boolean (test->array, CKA_LABEL, &bval))
+    g_assert_not_reached ();
+  g_assert_cmpuint (test->array->count, ==, 3);
+
+  /* Set should override */
+  g_pkcs11_array_set_boolean (test->array, CKA_TOKEN, FALSE);
+  if (!g_pkcs11_array_find_boolean (test->array, CKA_TOKEN, &bval))
+    g_assert_not_reached ();
+  g_assert (bval == FALSE);
+  g_assert_cmpuint (test->array->count, ==, 3);
+}
+
+static void
+test_ulong (TestArray      *test,
+            gconstpointer   data)
+{
+  const CK_ATTRIBUTE *check;
+  gulong uval = FALSE;
+
+  g_pkcs11_array_add_ulong (test->array, CKA_PIXEL_X, 38938);
+  if (!g_pkcs11_array_find_ulong (test->array, CKA_PIXEL_X, &uval))
+    g_assert_not_reached ();
+  g_assert (uval == 38938UL);
+  g_assert_cmpuint (test->array->count, ==, 1);
+
+  /* Check that it's actually formatted right */
+  check = g_pkcs11_array_find (test->array, CKA_PIXEL_X);
+  g_assert (check != NULL);
+  g_assert_cmpuint (check->ulValueLen, ==, sizeof (CK_ULONG));
+  g_assert (check->pValue != NULL);
+  g_assert (*((CK_ULONG*)check->pValue) == 38938UL);
+
+  /* Check -1, since this is used regularly */
+  g_pkcs11_array_add_ulong (test->array, CKA_MODULUS_BITS, (gulong)-1);
+
+  /* Check that it's actually formatted right */
+  check = g_pkcs11_array_find (test->array, CKA_MODULUS_BITS);
+  g_assert (check != NULL);
+  g_assert_cmpuint (check->ulValueLen, ==, sizeof (CK_ULONG));
+  g_assert (check->pValue != NULL);
+  g_assert (*((CK_ULONG*)check->pValue) == (CK_ULONG)-1);
+  g_assert_cmpuint (test->array->count, ==, 2);
+
+  /* Add a non ulong length value */
+  g_pkcs11_array_add_value (test->array, CKA_LABEL, "label", -1);
+  g_assert_cmpuint (test->array->count, ==, 3);
+
+  /* Shouldn't work to find ulong on that */
+  if (g_pkcs11_array_find_ulong (test->array, CKA_LABEL, &uval))
+    g_assert_not_reached ();
+
+  /* Set should override */
+  g_pkcs11_array_set_ulong (test->array, CKA_PIXEL_X, 48);
+  if (!g_pkcs11_array_find_ulong (test->array, CKA_PIXEL_X, &uval))
+    g_assert_not_reached ();
+  g_assert (uval == 48UL);
+  g_assert_cmpuint (test->array->count, ==, 3);
+}
+
+static void
+test_boxed (TestArray      *test,
+            gconstpointer   data)
+{
+  GPkcs11Array *array;
+
+  /* Should reference */
+  array = g_boxed_copy (G_TYPE_PKCS11_ARRAY, test->array);
+  g_assert (array == test->array);
+
+  /* Should unreference */
+  g_boxed_free (G_TYPE_PKCS11_ARRAY, array);
+}
+
+int
+main (int   argc,
+      char *argv[])
+{
+  g_test_init (&argc, &argv, NULL);
+
+  g_test_add ("/pkcs11/array/add-find", TestArray, NULL,
+              setup_array, test_add_find, teardown_array);
+  g_test_add ("/pkcs11/array/set-find", TestArray, NULL,
+              setup_array, test_set_find, teardown_array);
+  g_test_add ("/pkcs11/array/value", TestArray, NULL,
+              setup_array, test_value, teardown_array);
+  g_test_add ("/pkcs11/array/boolean", TestArray, NULL,
+              setup_array, test_boolean, teardown_array);
+  g_test_add ("/pkcs11/array/ulong", TestArray, NULL,
+              setup_array, test_ulong, teardown_array);
+  g_test_add ("/pkcs11/array/boxed", TestArray, NULL,
+              setup_array, test_boxed, teardown_array);
+
+  return g_test_run();
+}
diff --git a/tls/tests/pkcs11-pin.c b/tls/tests/pkcs11-pin.c
new file mode 100644
index 0000000..79a34dd
--- /dev/null
+++ b/tls/tests/pkcs11-pin.c
@@ -0,0 +1,152 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO TLS tests
+ *
+ * Copyright (C) 2011 Collabora, Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include <gio/gio.h>
+
+#include <sys/types.h>
+#include <string.h>
+
+#include "pkcs11/gpkcs11pin.h"
+
+typedef struct {
+  GTlsPassword *pin;
+} TestPin;
+
+static void
+setup_pin (TestPin          *test,
+           gconstpointer     unused)
+{
+  test->pin = g_pkcs11_pin_new (G_TLS_PASSWORD_RETRY, "Test description");
+  g_assert (G_IS_PKCS11_PIN (test->pin));
+  g_assert (G_IS_TLS_PASSWORD (test->pin));
+}
+
+static void
+teardown_pin (TestPin       *test,
+              gconstpointer  unused)
+{
+  g_assert_cmpint (G_OBJECT (test->pin)->ref_count, ==, 1);
+  g_object_unref (test->pin);
+}
+
+static void
+test_attributes (TestPin        *test,
+                 gconstpointer   data)
+{
+  GTlsPasswordFlags flags;
+  const gchar *description;
+
+  flags = g_tls_password_get_flags (test->pin);
+  g_assert_cmpuint (flags, ==, G_TLS_PASSWORD_RETRY);
+
+  description = g_tls_password_get_description (test->pin);
+  g_assert_cmpstr (description, ==, "Test description");
+}
+
+static void
+test_warnings (TestPin        *test,
+               gconstpointer   data)
+{
+  const gchar *warning;
+
+  g_tls_password_set_flags (test->pin, G_TLS_PASSWORD_RETRY);
+  warning = g_tls_password_get_warning (test->pin);
+  g_assert (warning != NULL);
+
+  g_tls_password_set_flags (test->pin, G_TLS_PASSWORD_FINAL_TRY);
+  warning = g_tls_password_get_warning (test->pin);
+  g_assert (warning != NULL);
+
+  g_tls_password_set_flags (test->pin, G_TLS_PASSWORD_MANY_TRIES);
+  warning = g_tls_password_get_warning (test->pin);
+  g_assert (warning != NULL);
+
+  g_tls_password_set_flags (test->pin, (GTlsPasswordFlags)0x10000000);
+  warning = g_tls_password_get_warning (test->pin);
+  g_assert (warning == NULL);
+
+}
+
+static void
+test_set_get_value (TestPin        *test,
+                    gconstpointer   data)
+{
+  const guchar *value;
+  gsize n_value = G_MAXSIZE;
+
+  value = g_tls_password_get_value (test->pin, &n_value);
+  g_assert_cmpuint (n_value, ==, 0);
+  g_assert (value == NULL);
+
+  g_tls_password_set_value (test->pin, (const guchar *)"secret", -1);
+
+  value = g_tls_password_get_value (test->pin, &n_value);
+  g_assert_cmpuint (n_value, ==, 6);
+  g_assert (!strncmp ((const gchar *)value, "secret", n_value));
+
+  g_tls_password_set_value (test->pin, (const guchar *)"other", 5);
+
+  value = g_tls_password_get_value (test->pin, &n_value);
+  g_assert_cmpuint (n_value, ==, 5);
+  g_assert (!strncmp ((const gchar *)value, "other", n_value));
+}
+
+static void
+test_internal_pin (TestPin        *test,
+                   gconstpointer   data)
+{
+  P11KitPin *pin;
+  const unsigned char *value;
+  size_t n_value;
+
+  g_tls_password_set_value (test->pin, (const guchar *)"secret", -1);
+
+  pin = g_pkcs11_pin_steal_internal (G_PKCS11_PIN (test->pin));
+
+  value = p11_kit_pin_get_value (pin, &n_value);
+  g_assert_cmpuint (n_value, ==, 6);
+  g_assert (!strncmp ((const gchar *)value, "secret", n_value));
+
+  p11_kit_pin_unref (pin);
+}
+
+int
+main (int   argc,
+      char *argv[])
+{
+  g_test_init (&argc, &argv, NULL);
+
+  g_test_add ("/pkcs11/pin/attributes", TestPin, NULL,
+              setup_pin, test_attributes, teardown_pin);
+  g_test_add ("/pkcs11/pin/warnings", TestPin, NULL,
+              setup_pin, test_warnings, teardown_pin);
+  g_test_add ("/pkcs11/pin/set-get-value", TestPin, NULL,
+              setup_pin, test_set_get_value, teardown_pin);
+  g_test_add ("/pkcs11/pin/internal-pin", TestPin, NULL,
+              setup_pin, test_internal_pin, teardown_pin);
+
+  return g_test_run();
+}
diff --git a/tls/tests/pkcs11-slot.c b/tls/tests/pkcs11-slot.c
new file mode 100644
index 0000000..0fcd44b
--- /dev/null
+++ b/tls/tests/pkcs11-slot.c
@@ -0,0 +1,526 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO TLS tests
+ *
+ * Copyright (C) 2011 Collabora, Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include <gio/gio.h>
+
+#include <sys/types.h>
+#include <string.h>
+
+#include "pkcs11/gpkcs11slot.h"
+#include "pkcs11/gpkcs11util.h"
+
+#include "mock-pkcs11.h"
+#include "mock-interaction.h"
+
+#include <p11-kit/p11-kit.h>
+
+#include <stdlib.h>
+
+typedef struct {
+  CK_FUNCTION_LIST funcs;
+  GPkcs11Slot *slot;
+  GPkcs11Slot *not_present;
+} TestSlot;
+
+static void
+setup_slot (TestSlot        *test,
+            gconstpointer    unused)
+{
+  CK_RV rv;
+
+  /* Copy this so we can replace certain functions in our tests */
+  memcpy (&test->funcs, &mock_default_functions, sizeof (test->funcs));
+
+  rv = p11_kit_module_initialize (&test->funcs);
+  g_assert (rv == CKR_OK);
+
+  test->slot = g_object_new (G_TYPE_PKCS11_SLOT,
+                             "slot-id", MOCK_SLOT_ONE_ID,
+                             "module", &test->funcs,
+                             NULL);
+  g_assert (G_IS_PKCS11_SLOT (test->slot));
+
+  test->not_present = g_object_new (G_TYPE_PKCS11_SLOT,
+                                    "slot-id", MOCK_SLOT_TWO_ID,
+                                    "module", &test->funcs,
+                                    NULL);
+  g_assert (G_IS_PKCS11_SLOT (test->not_present));
+}
+
+static void
+teardown_slot (TestSlot     *test,
+               gconstpointer unused)
+{
+  CK_RV rv;
+
+  g_assert_cmpint (G_OBJECT (test->slot)->ref_count, ==, 1);
+  g_object_unref (test->slot);
+
+  g_assert_cmpint (G_OBJECT (test->not_present)->ref_count, ==, 1);
+  g_object_unref (test->not_present);
+
+  rv = p11_kit_module_finalize (&test->funcs);
+  g_assert (rv == CKR_OK);
+}
+
+static void
+test_properties (TestSlot       *test,
+                 gconstpointer   unused)
+{
+  CK_SLOT_ID id;
+  CK_FUNCTION_LIST_PTR module;
+
+  g_object_get (test->slot, "slot-id", &id, "module", &module, NULL);
+  g_assert_cmpuint (id, ==, MOCK_SLOT_ONE_ID);
+  g_assert (module == &test->funcs);
+}
+
+static void
+test_token_info (TestSlot       *test,
+                 gconstpointer   unused)
+{
+  CK_TOKEN_INFO token_info;
+  char *label;
+
+  if (!g_pkcs11_slot_get_token_info (test->slot, &token_info))
+    g_assert_not_reached ();
+
+  label = p11_kit_space_strdup (token_info.label, sizeof (token_info.label));
+  g_assert_cmpstr (label, ==, "TEST LABEL");
+  free (label);
+}
+
+static void
+test_token_info_not_present (TestSlot       *test,
+                             gconstpointer   unused)
+{
+  CK_TOKEN_INFO token_info;
+  char *label;
+
+  if (!g_pkcs11_slot_get_token_info (test->slot, &token_info))
+    g_assert_not_reached ();
+
+  label = p11_kit_space_strdup (token_info.label, sizeof (token_info.label));
+  g_assert_cmpstr (label, ==, "TEST LABEL");
+  free (label);
+}
+
+static void
+test_matches_uri (TestSlot       *test,
+                  gconstpointer   unused)
+{
+  P11KitUri *uri;
+
+  uri = p11_kit_uri_new ();
+  if (p11_kit_uri_parse (MOCK_SLOT_ONE_URI, P11_KIT_URI_FOR_TOKEN, uri) != 0)
+    g_assert_not_reached ();
+  g_assert (!p11_kit_uri_any_unrecognized (uri));
+
+  if (!g_pkcs11_slot_matches_uri (test->slot, uri))
+    g_assert_not_reached();
+
+  if (g_pkcs11_slot_matches_uri (test->not_present, uri))
+    g_assert_not_reached ();
+
+  p11_kit_uri_free (uri);
+}
+
+
+static gboolean
+accumulate_check_not_called (gpointer result,
+                             gpointer user_data)
+{
+  g_assert_not_reached ();
+  return FALSE;
+}
+
+static void
+test_enumerate_no_match (TestSlot     *test,
+                         gconstpointer unused)
+{
+  GPkcs11EnumerateState state;
+  CK_ATTRIBUTE_TYPE types[] = { CKA_LABEL, CKA_ID };
+  GError *error = NULL;
+  GPkcs11Array *match;
+
+  match = g_pkcs11_array_new ();
+  g_pkcs11_array_add_value (match, CKA_LABEL, "Non existant", -1);
+  g_pkcs11_array_add_value (match, CKA_ID, "Bad ID", -1);
+
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   match->attrs, match->count, FALSE,
+                                   types, G_N_ELEMENTS (types),
+                                   accumulate_check_not_called, NULL,
+                                   NULL, &error);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_CONTINUE);
+  g_assert_no_error (error);
+
+  g_pkcs11_array_unref (match);
+}
+
+static void
+test_enumerate_not_present (TestSlot      *test,
+                            gconstpointer  unused)
+{
+  GPkcs11EnumerateState state;
+  CK_ATTRIBUTE_TYPE types[] = { CKA_LABEL, CKA_ID };
+  GError *error = NULL;
+  GPkcs11Array *match;
+
+  /* Empty match should match anything ... */
+  match = g_pkcs11_array_new ();
+
+  /* ... but token is not present, so nothing */
+  state = g_pkcs11_slot_enumerate (test->not_present, NULL,
+                                   match->attrs, match->count, FALSE,
+                                   types, G_N_ELEMENTS (types),
+                                   accumulate_check_not_called, NULL,
+                                   NULL, &error);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_CONTINUE);
+  g_assert_no_error (error);
+
+  g_pkcs11_array_unref (match);
+}
+
+static gboolean
+accumulate_results (gpointer result,
+                    gpointer user_data)
+{
+  GPtrArray *results = user_data;
+  GPkcs11Array *attrs = result;
+
+  g_assert (results);
+  g_assert (attrs);
+
+  g_ptr_array_add (results, g_pkcs11_array_ref (attrs));
+  return TRUE;
+}
+
+static void
+test_enumerate_all (TestSlot     *test,
+                    gconstpointer unused)
+{
+  GPkcs11EnumerateState state;
+  CK_ATTRIBUTE_TYPE types[] = { CKA_LABEL, CKA_ID };
+  GError *error = NULL;
+  GPkcs11Array *match;
+  GPkcs11Array *attrs;
+  GPtrArray *results;
+  const CK_ATTRIBUTE *attr;
+  guint i;
+
+  /* Match anything */
+  match = g_pkcs11_array_new ();
+
+  results = g_ptr_array_new_with_free_func ((GDestroyNotify)g_pkcs11_array_unref);
+
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   match->attrs, match->count, FALSE,
+                                   types, G_N_ELEMENTS (types),
+                                   accumulate_results, results,
+                                   NULL, &error);
+
+  g_pkcs11_array_unref (match);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_CONTINUE);
+  g_assert_no_error (error);
+
+  g_assert_cmpuint (results->len, >, 1);
+
+  for (i = 0; i < results->len; i++)
+    {
+      attrs = results->pdata[i];
+      attr = g_pkcs11_array_find (attrs, CKA_LABEL);
+      g_assert (attr != NULL);
+      g_assert (g_utf8_validate (attr->pValue, attr->ulValueLen, NULL));
+    }
+
+  g_ptr_array_free (results, TRUE);
+}
+
+static gboolean
+accumulate_first (gpointer result,
+                  gpointer user_data)
+{
+  GPtrArray *results = user_data;
+  GPkcs11Array *attrs = result;
+
+  g_assert (results);
+  g_assert (attrs);
+  g_assert_cmpuint (results->len, ==, 0);
+
+  g_ptr_array_add (results, g_pkcs11_array_ref (attrs));
+  return FALSE; /* Don't call again */
+}
+
+static void
+test_enumerate_first (TestSlot     *test,
+                      gconstpointer unused)
+{
+  GPkcs11EnumerateState state;
+  CK_ATTRIBUTE_TYPE types[] = { CKA_LABEL, CKA_ID };
+  GError *error = NULL;
+  GPkcs11Array *match;
+  GPkcs11Array *attrs;
+  GPtrArray *results;
+  const CK_ATTRIBUTE *attr;
+
+  /* Match anything */
+  match = g_pkcs11_array_new ();
+
+  results = g_ptr_array_new_with_free_func ((GDestroyNotify)g_pkcs11_array_unref);
+
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   match->attrs, match->count, FALSE,
+                                   types, G_N_ELEMENTS (types),
+                                   accumulate_first, results,
+                                   NULL, &error);
+
+  g_pkcs11_array_unref (match);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_STOP);
+  g_assert_no_error (error);
+
+  g_assert_cmpuint (results->len, ==, 1);
+  attrs = results->pdata[0];
+  attr = g_pkcs11_array_find (attrs, CKA_LABEL);
+  g_assert (attr != NULL);
+  g_assert (g_utf8_validate (attr->pValue, attr->ulValueLen, NULL));
+
+  g_ptr_array_free (results, TRUE);
+}
+
+static gboolean
+accumulate_check_null_result (gpointer result,
+                              gpointer user_data)
+{
+  GPkcs11Array *attrs = result;
+  g_assert (attrs == NULL);
+  return TRUE; /* call again */
+}
+
+static void
+test_enumerate_no_attrs (TestSlot     *test,
+                         gconstpointer unused)
+{
+  GPkcs11EnumerateState state;
+  GError *error = NULL;
+  GPkcs11Array *match;
+
+  /* Match anything */
+  match = g_pkcs11_array_new ();
+
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   match->attrs, match->count, FALSE,
+                                   NULL, 0,
+                                   accumulate_check_null_result, NULL,
+                                   NULL, &error);
+
+  g_pkcs11_array_unref (match);
+
+  /* Didn't find anything, so continue */
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_CONTINUE);
+  g_assert_no_error (error);
+}
+
+static void
+test_enumerate_fail_session (TestSlot     *test,
+                             gconstpointer unused)
+{
+  GPkcs11EnumerateState state;
+  GError *error = NULL;
+
+  /* Make opening a session fail */
+  test->funcs.C_OpenSession = mock_fail_C_OpenSession;
+
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   NULL, 0, FALSE,
+                                   NULL, 0,
+                                   accumulate_check_not_called, NULL,
+                                   NULL, &error);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_FAILED);
+  g_assert_error (error, G_PKCS11_ERROR, CKR_GENERAL_ERROR);
+  g_error_free (error);
+}
+
+static void
+test_enumerate_fail_attributes (TestSlot     *test,
+                                gconstpointer unused)
+{
+  GPkcs11EnumerateState state;
+  GError *error = NULL;
+  CK_ATTRIBUTE_TYPE types[] = { CKA_LABEL, CKA_ID };
+
+  /* Make retrieving object attrs fail */
+  test->funcs.C_GetAttributeValue = mock_fail_C_GetAttributeValue;
+
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   NULL, 0, FALSE,
+                                   types, G_N_ELEMENTS (types),
+                                   accumulate_check_not_called, NULL,
+                                   NULL, &error);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_FAILED);
+  g_assert_error (error, G_PKCS11_ERROR, CKR_FUNCTION_FAILED);
+  g_error_free (error);
+}
+
+static gboolean
+accumulate_cancel_on_first (gpointer result,
+                            gpointer user_data)
+{
+  GCancellable *cancellable = G_CANCELLABLE (user_data);
+  g_assert (!g_cancellable_is_cancelled (cancellable));
+  g_cancellable_cancel (cancellable);
+  return TRUE; /* call again, except that above cancellation should stop */
+}
+
+static void
+test_enumerate_cancel (TestSlot     *test,
+                       gconstpointer unused)
+{
+  GPkcs11EnumerateState state;
+  GError *error = NULL;
+  GPkcs11Array *match;
+  GCancellable *cancellable;
+
+  cancellable = g_cancellable_new ();
+
+  /* Match anything */
+  match = g_pkcs11_array_new ();
+
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   match->attrs, match->count, FALSE,
+                                   NULL, 0,
+                                   accumulate_cancel_on_first, cancellable,
+                                   cancellable, &error);
+
+  g_pkcs11_array_unref (match);
+  g_object_unref (cancellable);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_FAILED);
+  g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CANCELLED);
+  g_error_free (error);
+}
+
+static void
+test_enumerate_private (TestSlot     *test,
+                        gconstpointer unused)
+{
+  CK_ATTRIBUTE_TYPE types[] = { CKA_LABEL, CKA_ID, CKA_PRIVATE };
+  GPkcs11EnumerateState state;
+  GError *error = NULL;
+  GPkcs11Array *match;
+  GPtrArray *results;
+  gboolean bval;
+  GTlsInteraction *interaction;
+
+  /* Match label of private object, see mock*/
+  match = g_pkcs11_array_new ();
+  g_pkcs11_array_add_value (match, CKA_LABEL, "PRIVATE", -1);
+
+  /* Shouldn't match anything, since not logged in */
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   match->attrs, match->count, FALSE,
+                                   types, G_N_ELEMENTS (types),
+                                   accumulate_check_not_called, NULL,
+                                   NULL, &error);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_CONTINUE);
+  g_assert_no_error (error);
+
+  /* This time we try to log in but no interaction is set */
+  state = g_pkcs11_slot_enumerate (test->slot, NULL,
+                                   match->attrs, match->count, TRUE, /* match privates */
+                                   types, G_N_ELEMENTS (types),
+                                   accumulate_check_not_called, NULL,
+                                   NULL, &error);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_CONTINUE);
+  g_assert_no_error (error);
+
+  /* This time we log in, and should have a match */
+  results = g_ptr_array_new_with_free_func ((GDestroyNotify)g_pkcs11_array_unref);
+  interaction = mock_interaction_new_static_password (MOCK_SLOT_ONE_PIN);
+
+  state = g_pkcs11_slot_enumerate (test->slot, interaction,
+                                   match->attrs, match->count, TRUE,
+                                   types, G_N_ELEMENTS (types),
+                                   accumulate_results, results,
+                                   NULL, &error);
+
+  g_assert_cmpuint (state, ==, G_PKCS11_ENUMERATE_CONTINUE);
+  g_assert_no_error (error);
+
+  /* One private object, with following info */
+  g_assert_cmpuint (results->len, ==, 1);
+  if (!g_pkcs11_array_find_boolean (results->pdata[0], CKA_PRIVATE, &bval))
+    g_assert_not_reached ();
+  g_assert (bval == TRUE);
+
+  g_object_unref (interaction);
+  g_pkcs11_array_unref (match);
+  g_ptr_array_free (results, TRUE);
+}
+
+int
+main (int   argc,
+      char *argv[])
+{
+  g_test_init (&argc, &argv, NULL);
+
+  g_test_add ("/pkcs11/slot/properties", TestSlot, NULL,
+              setup_slot, test_properties, teardown_slot);
+  g_test_add ("/pkcs11/slot/token-info", TestSlot, NULL,
+              setup_slot, test_token_info, teardown_slot);
+  g_test_add ("/pkcs11/slot/token-not-present", TestSlot, NULL,
+              setup_slot, test_token_info_not_present, teardown_slot);
+  g_test_add ("/pkcs11/slot/matches-uri", TestSlot, NULL,
+              setup_slot, test_matches_uri, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-no-match", TestSlot, NULL,
+              setup_slot, test_enumerate_no_match, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-not-present", TestSlot, NULL,
+              setup_slot, test_enumerate_not_present, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-all", TestSlot, NULL,
+              setup_slot, test_enumerate_all, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-first", TestSlot, NULL,
+              setup_slot, test_enumerate_first, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-no-attrs", TestSlot, NULL,
+              setup_slot, test_enumerate_no_attrs, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-fail-session", TestSlot, NULL,
+              setup_slot, test_enumerate_fail_session, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-fail-attributes", TestSlot, NULL,
+              setup_slot, test_enumerate_fail_attributes, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-cancel", TestSlot, NULL,
+              setup_slot, test_enumerate_cancel, teardown_slot);
+  g_test_add ("/pkcs11/slot/enumerate-private", TestSlot, NULL,
+              setup_slot, test_enumerate_private, teardown_slot);
+
+  return g_test_run();
+}
diff --git a/tls/tests/pkcs11-util.c b/tls/tests/pkcs11-util.c
new file mode 100644
index 0000000..b432651
--- /dev/null
+++ b/tls/tests/pkcs11-util.c
@@ -0,0 +1,63 @@
+/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * GIO TLS tests
+ *
+ * Copyright (C) 2011 Collabora, Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * In addition, when the library is used with OpenSSL, a special
+ * exception applies. Refer to the LICENSE_EXCEPTION file for details.
+ *
+ * Author: Stef Walter <stefw collabora co uk>
+ */
+
+#include <gio/gio.h>
+
+#include <sys/types.h>
+#include <string.h>
+
+#include "pkcs11/gpkcs11util.h"
+
+static void
+test_propagate_error (void)
+{
+  GError *error = NULL;
+
+  if (!g_pkcs11_propagate_error (&error, CKR_BUFFER_TOO_SMALL))
+    g_assert_not_reached ();
+  g_assert_error (error, G_PKCS11_ERROR, (gint)CKR_BUFFER_TOO_SMALL);
+  g_clear_error (&error);
+
+  if (g_pkcs11_propagate_error (&error, CKR_OK))
+    g_assert_not_reached ();
+  g_assert_no_error (error);
+
+  if (!g_pkcs11_propagate_error (&error, CKR_CANCEL))
+    g_assert_not_reached ();
+  g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CANCELLED);
+  g_clear_error (&error);
+}
+
+int
+main (int   argc,
+      char *argv[])
+{
+  g_test_init (&argc, &argv, NULL);
+
+  g_test_add_func ("/pkcs11/util/propagate-error", test_propagate_error);
+
+  return g_test_run();
+}
[
Date Prev][
Date Next]   [
Thread Prev][
Thread Next]   
[
Thread Index]
[
Date Index]
[
Author Index]