diff -up ./src/coolkey/coolkey.cpp.alt-cac ./src/coolkey/coolkey.cpp

--- ./src/coolkey/coolkey.cpp.alt-cac	2016-12-01 15:37:49.106167768 -0800

+++ ./src/coolkey/coolkey.cpp	2016-12-01 15:37:49.113167892 -0800

@@ -80,9 +80,16 @@ ecMechanismList[] = {

     {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},

     {CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} }

 };

+static const MechInfo

+allMechanismList[] = {

+    {CKM_RSA_PKCS, { 1024, 4096, CKF_HW | CKF_SIGN | CKF_DECRYPT } },

+    {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},

+    {CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} }

+};

 unsigned int numRSAMechanisms = sizeof(rsaMechanismList)/sizeof(MechInfo);

 unsigned int numECMechanisms = sizeof(ecMechanismList)/sizeof(MechInfo);

+unsigned int numAllMechanisms = sizeof(allMechanismList)/sizeof(MechInfo);

 /* ------------------------------------------------------------ */

@@ -382,13 +389,22 @@ C_GetMechanismList(CK_SLOT_ID slotID, CK

             return CKR_TOKEN_NOT_PRESENT;

         }

-        if ( slot->getIsECC()) {

+	switch (slot->getAlgs()) {

+	case ALG_ECC|ALG_RSA:

+            mechanismList = allMechanismList;

+            numMechanisms = numAllMechanisms;

+	    break;

+	case ALG_ECC:

             mechanismList = ecMechanismList;

             numMechanisms = numECMechanisms;

-        } else {

+	    break;

+	case ALG_NONE:

+	case ALG_RSA:

+	default:

             mechanismList = rsaMechanismList;

             numMechanisms = numRSAMechanisms;

-        }

+	    break;

+	}

         if( pMechanismList != NULL ) {

             if( *pulCount < numMechanisms ) {

@@ -438,13 +454,22 @@ C_GetMechanismInfo(CK_SLOT_ID slotID, CK

             return CKR_TOKEN_NOT_PRESENT;

         }

-        if ( slot->getIsECC()) {

+	switch (slot->getAlgs()) {

+	case ALG_ECC|ALG_RSA:

+            mechanismList = allMechanismList;

+            numMechanisms = numAllMechanisms;

+	    break;

+	case ALG_ECC:

             mechanismList = ecMechanismList;

             numMechanisms = numECMechanisms;

-        } else {

+	    break;

+	case ALG_NONE:

+	case ALG_RSA:

+	default:

             mechanismList = rsaMechanismList;

             numMechanisms = numRSAMechanisms;

-        }

+	    break;

+	}

         for(unsigned int i=0; i < numMechanisms; ++i ) {

             if( mechanismList[i].mech == type ) {

diff -up ./src/coolkey/object.cpp.alt-cac ./src/coolkey/object.cpp

--- ./src/coolkey/object.cpp.alt-cac	2016-12-01 15:37:49.097167608 -0800

+++ ./src/coolkey/object.cpp	2016-12-01 15:37:49.114167910 -0800

@@ -1232,7 +1232,7 @@ Reader::Reader(unsigned long muscleObjID

 }

-CACPrivKey::CACPrivKey(CKYByte instance, const PKCS11Object &cert) : 

+CACPrivKey::CACPrivKey(CKYByte instance, const PKCS11Object &cert,bool isPIV) : 

         PKCS11Object( ((int)'k') << 24 | ((int)instance+'0') << 16,

                          instance | 0x400)

 {

@@ -1242,7 +1242,9 @@ CACPrivKey::CACPrivKey(CKYByte instance,

     /* So we know what the key is supposed to be used for based on

      * the instance */

-    if (instance == 2) {

+    /* instance 2 is usually a decryption cert. >2 are usually old decryption 

+     * certs */

+    if (instance == 2 || (instance > (isPIV ? 3 : 2))) {

         decrypt = TRUE;

     }

@@ -1305,8 +1307,8 @@ CACPrivKey::CACPrivKey(CKYByte instance,

      CKYBuffer_FreeData(&param2);

 }

-CACPubKey::CACPubKey(CKYByte instance, const PKCS11Object &cert) : 

-        PKCS11Object( ((int)'k') << 24 | ((int)(instance+'5')) << 16,

+CACPubKey::CACPubKey(CKYByte instance, const PKCS11Object &cert, bool isPIV) : 

+        PKCS11Object( ((int)'k') << 24 | ((int)(instance+'a')) << 16,

                        instance | 0x500)

 {

     CKYBuffer id;

@@ -1315,7 +1317,7 @@ CACPubKey::CACPubKey(CKYByte instance, c

     /* So we know what the key is supposed to be used for based on

      * the instance */

-    if (instance == 2) {

+    if (instance == 2 || (instance > (isPIV ? 3 : 2))) {

         encrypt = TRUE;

     }

@@ -1359,6 +1361,9 @@ CACPubKey::CACPubKey(CKYByte instance, c

             setAttribute(CKA_EC_POINT, &param1);

             setAttribute(CKA_EC_PARAMS, &param2);

 	    setAttributeULong(CKA_KEY_TYPE, CKK_EC);

+    	    setAttributeBool(CKA_VERIFY_RECOVER, FALSE);

+    	    setAttributeBool(CKA_ENCRYPT, FALSE);

+    	    setAttributeBool(CKA_DERIVE, encrypt);

             break;

         default:

             break;

@@ -1376,6 +1381,26 @@ static const char *CAC_Label[] = {

         "CAC ID Certificate",

         "CAC Email Signature Certificate",

         "CAC Email Encryption Certificate",

+        "CAC Cert 3",

+        "CAC Cert 4",

+        "CAC Cert 5",

+        "CAC Cert 6",

+        "CAC Cert 7",

+        "CAC Cert 8",

+        "CAC Cert 9",

+};

+

+static const char *PIV_Label[] = {

+        "PIV ID Certificate",

+        "PIV Email Signature Certificate",

+        "PIV Email Encryption Certificate",

+        "PIV Card Authentication Certificate",

+        "PIV Cert 4",

+        "PIV Cert 5",

+        "PIV Cert 6",

+        "PIV Cert 7",

+        "PIV Cert 8",

+        "PIV Cert 9",

 };

 static const unsigned char CN_DATA[] = { 0x55, 0x4, 0x3 };

@@ -1454,7 +1479,7 @@ GetUserName(const CKYBuffer *dn)

     return string;

 }

-CACCert::CACCert(CKYByte instance, const CKYBuffer *derCert) : 

+CACCert::CACCert(CKYByte instance, const CKYBuffer *derCert, bool isPIV) : 

         PKCS11Object( ((int)'c') << 24 | ((int)instance+'0') << 16, 

                         instance | 0x600)

 {

@@ -1471,7 +1496,7 @@ CACCert::CACCert(CKYByte instance, const

     setAttribute(CKA_ID, &id;;

     CKYBuffer_FreeData(&id;;

     setAttributeULong(CKA_CERTIFICATE_TYPE, CKC_X_509);

-    setAttribute(CKA_LABEL, CAC_Label[instance]);

+    setAttribute(CKA_LABEL, isPIV ? PIV_Label[instance] : CAC_Label[instance]);

     CKYBuffer derSerial; CKYBuffer_InitEmpty(&derSerial);

     CKYBuffer derSubject; CKYBuffer_InitEmpty(&derSubject);

diff -up ./src/coolkey/object.h.alt-cac ./src/coolkey/object.h

--- ./src/coolkey/object.h.alt-cac	2016-12-01 15:37:49.087167430 -0800

+++ ./src/coolkey/object.h	2016-12-01 15:37:49.115167928 -0800

@@ -219,17 +219,17 @@ class Cert : public PKCS11Object {

 class CACPrivKey : public PKCS11Object {

   public:

-    CACPrivKey(CKYByte instance, const PKCS11Object &cert);

+    CACPrivKey(CKYByte instance, const PKCS11Object &cert, bool isPIV);

 };

 class CACPubKey : public PKCS11Object {

   public:

-    CACPubKey(CKYByte instance, const PKCS11Object &cert);

+    CACPubKey(CKYByte instance, const PKCS11Object &cert, bool isPIV);

 };

 class CACCert : public PKCS11Object {

   public:

-    CACCert(CKYByte instance, const CKYBuffer *derCert);

+    CACCert(CKYByte instance, const CKYBuffer *derCert, bool isPIV);

 };

 typedef enum { PK15StateInit, PK15StateNeedObject, 

diff -up ./src/coolkey/slot.cpp.alt-cac ./src/coolkey/slot.cpp

--- ./src/coolkey/slot.cpp.alt-cac	2016-12-01 15:37:49.110167839 -0800

+++ ./src/coolkey/slot.cpp	2016-12-01 15:57:37.307994776 -0800

@@ -415,8 +415,9 @@ Slot::Slot(const char *readerName_, Log

 	slotInfoFound(false), context(context_), conn(NULL), state(UNKNOWN), 

 	isVersion1Key(false), needLogin(false), fullTokenName(false), 

 	mCoolkey(false), mOldCAC(false), mCACLocalLogin(false),

-	pivContainer(-1), pivKey(-1), mECC(false), p15aid(0), p15odfAddr(0),

-	p15tokenInfoAddr(0), p15Instance(0),

+	pivContainer(-1), pivKey(-1), maxCacCerts(MAX_CERT_SLOTS), 

+	algs(ALG_NONE), p15aid(0), p15odfAddr(0), p15tokenInfoAddr(0),

+	p15Instance(0),

 #ifdef USE_SHMEM

 	shmem(readerName_),

 #endif

@@ -776,6 +777,7 @@ Slot::connectToToken()

 	 state |= PIV_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED;

 	 isVersion1Key = 0;

 	 needLogin = true;

+	 maxCacCerts = MAX_CERT_SLOTS;

          mCoolkey = 0;

 	 mOldCAC = 0;

 	 mCACLocalLogin = getPIVLoginType();

@@ -927,8 +929,12 @@ Slot::getCACAid()

 	}

 	/* yes, fill in the old applets */

 	mOldCAC = true;

+	maxCacCerts = 1;

 	for (i=1; i< MAX_CERT_SLOTS; i++) {

-	    CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);

+	    status = CACApplet_SelectPKI(conn, &cardAID[i], i, NULL);

+	    if (status == CKYSUCCESS) {

+		maxCacCerts = i+1;

+	    }

 	}

 	return CKYSUCCESS;

     }

@@ -986,6 +992,7 @@ Slot::getCACAid()

     if (certSlot == 0) {

 	status = CKYAPDUFAIL; /* probably neeed a beter error code */

     }

+    maxCacCerts = certSlot;

 done:

     CKYBuffer_FreeData(&tBuf);

@@ -2168,12 +2175,11 @@ Slot::addKeyObject(list<PKCS11Object>& o

         }

         keyObj.completeKey(*iter);

-        /* For now this is how we determine what type of key.

-           Also for now, allow only one or the other */

+        /*  use key object to determine what algorithms we support */

         if ( keyObj.getKeyType() == PKCS11Object::ecc) {

-            mECC = true;

+            algs = (SlotAlgs) (algs | ALG_ECC);

         } else {

-            mECC = false;

+            algs = (SlotAlgs) (algs | ALG_RSA);

         }

     }

@@ -2205,7 +2211,7 @@ Slot::addCertObject(list<PKCS11Object>&

 void

 Slot::unloadObjects()

 {

-    mECC = false;

+    algs = ALG_NONE;

     tokenObjects.clear();

     free(personName);

     personName = NULL;

@@ -2269,29 +2275,42 @@ Slot::unloadObjects()

 // Shared memory segments are fixed size (equal to the object memory size of

 // the token). 

 //

+//

+//

+

+struct SlotDataPair {

+    unsigned long dataOffset;

+    unsigned long  dataSize;

+};

 struct SlotSegmentHeader {

     unsigned short version;

     unsigned short headerSize;

     unsigned char  valid;

-    unsigned char  reserved;

+    unsigned char  firstCacCert;

     unsigned char  cuid[10];

-    unsigned short reserved2;

+

+    unsigned short reserved; 

     unsigned short dataVersion;

     unsigned short dataHeaderOffset;

     unsigned short dataOffset;

     unsigned long  dataHeaderSize;

     unsigned long  dataSize;

-    unsigned long  cert2Offset;

-    unsigned long  cert2Size;

+    unsigned long  nextDataOffset;

+    SlotDataPair cacCerts[MAX_CERT_SLOTS];

 };

+const unsigned char NOT_A_CAC=0xff; /* place in firstCacCert field */

+const unsigned short CAC_DATA_VERSION=2;

+

+

 #define MAX_OBJECT_STORE_SIZE 15000

 //

 // previous development versions used a segment prefix of

 // "coolkeypk11s"

 //

-#define SEGMENT_PREFIX "coolkeypk11s"

+#define SEGMENT_PREFIX "coolkeypk11t" // update segment since the old cache was

+                                      // incompatible

 #define CAC_FAKE_CUID "CAC Certs"

 SlotMemSegment::SlotMemSegment(const char *readerName): 

 	segmentAddr(NULL),  segmentSize(0), segment(NULL)

@@ -2320,9 +2339,8 @@ SlotMemSegment::SlotMemSegment(const cha

 	return;

     }

-    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;

     if (needInit) {

-	segmentHeader->valid = 0;

+	clearValid(0);

     }

     segmentSize = segment->getSHMemSize();

 }

@@ -2396,6 +2414,18 @@ SlotMemSegment::getDataVersion() const

     return segmentHeader->dataVersion;

 }

+unsigned char

+SlotMemSegment::getFirstCacCert() const

+{

+    if (!segment) {

+	return NOT_A_CAC;

+    }

+

+    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;

+

+    return segmentHeader->firstCacCert;

+}

+

 void

 SlotMemSegment::setVersion(unsigned short version)

 {

@@ -2419,6 +2449,18 @@ SlotMemSegment::setDataVersion(unsigned

     segmentHeader->dataVersion = version;

 }

+void

+SlotMemSegment::setFirstCacCert(unsigned char firstCacCert)

+{

+    if (!segment) {

+	return;

+    }

+

+    SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;

+

+    segmentHeader->firstCacCert = firstCacCert;

+}

+

 bool

 SlotMemSegment::isValid() const

 {

@@ -2493,23 +2535,13 @@ SlotMemSegment::readCACCert(CKYBuffer *o

     int size;

     CKYByte *data;

-    switch (instance) {

-    case 0:

-	data  = (CKYByte *) &segmentAddr[segmentHeader->dataHeaderOffset];

-	size = segmentHeader->dataHeaderSize;

-	break;

-    case 1:

-	data  = (CKYByte *) &segmentAddr[segmentHeader->dataOffset];

-	size = segmentHeader->dataSize;

-	break;

-    case 2:

-	data  = (CKYByte *) &segmentAddr[segmentHeader->cert2Offset];

-	size = segmentHeader->cert2Size;

-	break;

-    default:

+    if (instance >= MAX_CERT_SLOTS) {

 	CKYBuffer_Resize(objData, 0);

 	return;

     }

+    data = (CKYByte *) &segmentAddr[segmentHeader->cacCerts[instance]

+								.dataOffset];

+    size = segmentHeader->cacCerts[instance].dataSize;

     CKYBuffer_Replace(objData, 0, data, size);

 }

@@ -2523,30 +2555,20 @@ SlotMemSegment::writeCACCert(const CKYBu

     SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;

     int size = CKYBuffer_Size(data);

     CKYByte *shmData;

-    switch (instance) {

-    case 0:

-	segmentHeader->headerSize = sizeof *segmentHeader;

-	segmentHeader->dataHeaderOffset = sizeof *segmentHeader;

-	segmentHeader->dataHeaderSize = size;

-	segmentHeader->dataOffset = segmentHeader->dataHeaderOffset + size;

-	segmentHeader->dataSize = 0;

-	segmentHeader->cert2Offset = segmentHeader->dataOffset;

-	segmentHeader->cert2Size = 0;

-	shmData = (CKYByte *) &segmentAddr[segmentHeader->dataHeaderOffset];

-	break;

-    case 1:

-	segmentHeader->dataSize = size;

-	segmentHeader->cert2Offset = segmentHeader->dataOffset + size;

-	segmentHeader->cert2Size = 0;

-	shmData = (CKYByte *) &segmentAddr[segmentHeader->dataOffset];

-	break;

-    case 2:

-	segmentHeader->cert2Size = size;

-	shmData = (CKYByte *) &segmentAddr[segmentHeader->cert2Offset];

-	break;

-    default:

+

+    if (instance >= MAX_CERT_SLOTS) {

 	return;

     }

+

+    if (segmentHeader->firstCacCert == NOT_A_CAC) {

+	segmentHeader->firstCacCert = instance;

+    }

+    unsigned long dataOffset = segmentHeader->nextDataOffset;

+    segmentHeader->cacCerts[instance].dataOffset = dataOffset;

+    segmentHeader->nextDataOffset += size;

+    segmentHeader->cacCerts[instance].dataSize = size;

+    shmData = (CKYByte *) &segmentAddr[dataOffset];

+

     memcpy(shmData, CKYBuffer_Data(data), size);

 }

@@ -2558,15 +2580,18 @@ SlotMemSegment::clearValid(CKYByte insta

 	return;

     }

     SlotSegmentHeader *segmentHeader = (SlotSegmentHeader *)segmentAddr;

-    switch (instance) {

-    case 0:

-	segmentHeader->headerSize = 0;

-	segmentHeader->dataHeaderSize = 0;

-	/* fall through */

-    case 1:

-	segmentHeader->dataSize = 0;

+

+    segmentHeader->headerSize = sizeof *segmentHeader;

+    segmentHeader->dataHeaderOffset = sizeof *segmentHeader;

+    segmentHeader->dataHeaderSize = 0;

+    segmentHeader->dataSize = 0;

+    for (int i=0; i < MAX_CERT_SLOTS; i++) {

+	segmentHeader->cacCerts[i].dataSize = 0;

     }

+    segmentHeader->dataOffset = sizeof *segmentHeader;

+    segmentHeader->nextDataOffset = sizeof *segmentHeader;

     segmentHeader->valid = 0;

+    segmentHeader->firstCacCert = NOT_A_CAC;

 }

 void

@@ -2882,8 +2907,7 @@ berProcess(CKYBuffer *buf, int matchTag,

 CKYStatus

-Slot::readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize, 

-			      bool throwException)

+Slot::readCACCertificateFirst(CKYBuffer *cert, CKYSize *nextSize)

 {

     CKYStatus status;

     CKYISOStatus apduRC;

@@ -2897,9 +2921,6 @@ Slot::readCACCertificateFirst(CKYBuffer

 	CKYBuffer_InitEmpty(&certInfo);

 	CKYBuffer_Resize(cert, 0);

 	status = PIVApplet_GetCertificate(conn, cert, pivContainer, &apduRC);

-	if (throwException && (status != CKYSUCCESS)) {

-	    handleConnectionError();

-	}

 	/* actually, on success, we need to parse the certificate and find the

 	 * propper tag */

 	if (status == CKYSUCCESS) {

@@ -2940,10 +2961,10 @@ Slot::readCACCertificateFirst(CKYBuffer

     if (mOldCAC) {

 	/* get the first 100 bytes of the cert */

 	status = CACApplet_GetCertificateFirst(conn, cert, nextSize, &apduRC);

-	if (throwException && (status != CKYSUCCESS)) {

-	    handleConnectionError();

+	if (status == CKYSUCCESS) {

+	    return status;

 	}

-	return status;

+	/* try to use CACApplet_ReadFile before we give up */

     }

     CKYBuffer tBuf;

@@ -2959,11 +2980,11 @@ Slot::readCACCertificateFirst(CKYBuffer

     /* handle the new CAC card read */

     /* read the TLV */

-    status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, NULL);

+    status = CACApplet_ReadFile(conn, CAC_TAG_FILE, &tBuf, &apduRC);

     if (status != CKYSUCCESS) {

 	goto done;

     }

-    status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, NULL);

+    status = CACApplet_ReadFile(conn, CAC_VALUE_FILE, &vBuf, &apduRC);

     if (status != CKYSUCCESS) {

 	goto done;

     }

@@ -3199,14 +3220,12 @@ Slot::loadCACCert(CKYByte instance)

     CKYStatus status = CKYSUCCESS;

     CKYBuffer cert;

     CKYBuffer rawCert;

-    CKYBuffer shmCert;

     CKYSize  nextSize;

     OSTime time = OSTimeNow();

     CKYBuffer_InitEmpty(&cert);

     CKYBuffer_InitEmpty(&rawCert);

-    CKYBuffer_InitEmpty(&shmCert);

     //

     // not all CAC cards have all the PKI instances

@@ -3215,78 +3234,24 @@ Slot::loadCACCert(CKYByte instance)

     try {

         selectCACApplet(instance, false);

     } catch(PKCS11Exception& e) {

-	// all CAC's must have instance '0', throw the error it

-	// they don't.

-	if (instance == 0) throw e;

-	// If the CAC doesn't have instance '2', and we were updating

-	// the shared memory, set it to valid now.

-	if ((instance == 2) && !shmem.isValid()) {

-	    shmem.setValid();

-	}

 	return;

     }

     log->log("CAC Cert %d: select CAC applet:  %d ms\n",

 						 instance, OSTimeNow() - time);

-    if (instance == 0) {

-	readCACCertificateFirst(&rawCert, &nextSize, true);

-

-        if(CKYBuffer_Size(&rawCert) <= 1) {

-             handleConnectionError();

-        }

-	log->log("CAC Cert %d: fetch CAC Cert:  %d ms\n", 

-						instance, OSTimeNow() - time);

-    }

-

-    unsigned short dataVersion = 1;

-    CKYBool needRead = 1;

-

     /* see if it matches the shared memory */

-    if (shmem.isValid() &&  shmem.getDataVersion() == dataVersion) {

-	shmem.readCACCert(&shmCert, instance);

-	CKYSize certSize = CKYBuffer_Size(&rawCert);

-	CKYSize shmCertSize = CKYBuffer_Size(&shmCert);

-	const CKYByte *shmData = CKYBuffer_Data(&shmCert);

-

-	if (instance != 0) {

-	    needRead = 0;

-	}

-

-	if (shmCertSize >= certSize) {

-	    if (memcmp(shmData, CKYBuffer_Data(&rawCert), certSize) == 0) {

-		/* yes it does, no need to read the rest of the cert, use

-		 * the cache */

-		CKYBuffer_Replace(&rawCert, 0, shmData, shmCertSize);

-		needRead = 0;

-	    }

-	}

-	if (!needRead && (shmCertSize == 0)) {	

+    if (shmem.isValid() &&  shmem.getDataVersion() == CAC_DATA_VERSION) {

+	shmem.readCACCert(&rawCert, instance);

+	if (CKYBuffer_Size(&rawCert) == 0) {

 	    /* no cert of this type, just return */

 	    return;

 	}

-    }

-    CKYBuffer_FreeData(&shmCert);

-

-    if (needRead) {

-	/* it doesn't, read the new cert and update the cache */

-	if (instance == 0) {

-	    shmem.clearValid(0);

-	    shmem.setVersion(SHMEM_VERSION);

-	    shmem.setDataVersion(dataVersion);

-	} else {

-	    status = readCACCertificateFirst(&rawCert, &nextSize, false);

-	

-	    if ((status != CKYSUCCESS) || (CKYBuffer_Size(&rawCert) <= 1)) {

-		/* CAC only requires the Certificate in pki '0' */

-		/* if pki '1' or '2' are empty, treat it as a non-fatal error*/

-		if (instance == 2) {

-		    /* we've attempted to read all the certs, shared memory

-		     * is now valid */

-		    shmem.setValid();

-		}

-		return;

-	    }

+    } else {

+	status = readCACCertificateFirst(&rawCert, &nextSize);

+	if ((status != CKYSUCCESS) || (CKYBuffer_Size(&rawCert) <= 1)) {

+	    /*this cert doesn't exist, go to the next one */

+	    return;

 	}

 	if (nextSize) {

@@ -3298,9 +3263,6 @@ Slot::loadCACCert(CKYByte instance)

 	    handleConnectionError();

 	}

 	shmem.writeCACCert(&rawCert, instance);

-	if (instance == 2) {

-	    shmem.setValid();

-	}

     }

@@ -3368,14 +3330,17 @@ Slot::loadCACCert(CKYByte instance)

     log->log("CAC Cert %d: Cert has been uncompressed:  %d ms\n",

 						instance, OSTimeNow() - time);

-    CACCert certObj(instance, &cert);

-    CACPrivKey privKey(instance, certObj);

-    CACPubKey pubKey(instance, certObj);

+    bool isPIV = (bool)((state & PIV_CARD) == PIV_CARD);

+    CACCert certObj(instance, &cert, isPIV);

+    CACPrivKey privKey(instance, certObj, isPIV);

+    CACPubKey pubKey(instance, certObj, isPIV);

     tokenObjects.push_back(privKey);

     tokenObjects.push_back(pubKey);

     tokenObjects.push_back(certObj);

     if ( pubKey.getKeyType() == PKCS11Object::ecc) {

-	mECC = 1;

+        algs = (SlotAlgs) (algs | ALG_ECC);

+    } else {

+        algs = (SlotAlgs) (algs | ALG_RSA);

     }

     if (personName == NULL) {

@@ -3388,6 +3353,94 @@ Slot::loadCACCert(CKYByte instance)

 }

 void

+Slot::initCACShMem(void)

+{

+    bool failed = false;

+

+    unsigned char firstCert = shmem.getFirstCacCert();

+

+    log->log("init CACShMem: \n");

+    /* check to make sure the shared memory is initialized with a CAC card */

+    if (shmem.isValid() && shmem.getDataVersion() ==  CAC_DATA_VERSION

+				&& firstCert != NOT_A_CAC) {

+	CKYBuffer rawCert;

+	CKYBuffer shmCert;

+	CKYSize  nextSize;

+

+        log->log("init CACShMem: valid CAC cache found firstCert = %d\n",

+						 firstCert);

+	CKYBuffer_InitEmpty(&rawCert);

+	CKYBuffer_InitEmpty(&shmCert);

+

+

+	/* yes, see if it's this cac card by comparing the first cert 

+	 * in the chain */

+

+	/* see if the first cert is in the expected slot */

+	try {

+	    selectCACApplet(firstCert, false);

+ 	} catch(PKCS11Exception& e) {

+	    failed = true;

+            log->log("init CACShMem: applet select failed firstCert = %d\n",

+							firstCert);

+	}

+	if (!failed) {

+	    CKYStatus status = readCACCertificateFirst(&rawCert, &nextSize);

+	    if ((status != CKYSUCCESS) || CKYBuffer_Size(&rawCert) <= 1) {

+		failed = true;

+                log->log("init CACShMem: read Cert failed firstCert = %d\n",

+			 				firstCert);

+	    }

+	}

+	if (!failed) {

+	    shmem.readCACCert(&shmCert, firstCert);

+	    CKYSize certSize = CKYBuffer_Size(&rawCert);

+	    CKYSize shmCertSize = CKYBuffer_Size(&shmCert);

+	    const CKYByte *shmData = CKYBuffer_Data(&shmCert);

+

+	    if (shmCertSize >= certSize) {

+		if (memcmp(shmData, CKYBuffer_Data(&rawCert), certSize) == 0) {

+		    /* this card is cached, go on and use the cache */

+            	    log->log("init CACShMem: entries match, using cache\n");

+		    CKYBuffer_FreeData(&rawCert);

+		    CKYBuffer_FreeData(&shmCert);

+		    return;

+		}

+            }		

+            log->log("init CACShMem: no entry match certSize=%d"

+				" shmCertSize=%d\n",certSize, shmCertSize);

+	}

+	CKYBuffer_FreeData(&rawCert);

+	CKYBuffer_FreeData(&shmCert);

+    }

+

+    log->log("init CACShMem: starting new cache valid=%d version=%d "

+		" firstCert=%d\n",shmem.isValid(), shmem.getDataVersion(), 

+				firstCert);

+    /* cache is either invalid or for another card, start initializing it */

+    shmem.clearValid(0);

+    shmem.setVersion(SHMEM_VERSION);

+    shmem.setDataVersion(CAC_DATA_VERSION);

+}

+

+void

+Slot::verifyCACShMem(void)

+{

+    /* if the memory is valid, then nothing to do */

+    if (shmem.isValid()) {