diff --git a/Makefile.in b/Makefile.in

index 6f001bb3..c9424f1e 100644

--- a/Makefile.in

+++ b/Makefile.in

@@ -93,7 +93,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \

 	atomicio.o dispatch.o mac.o uuencode.o misc.o utf8.o \

 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \

 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \

-	ssh-pkcs11.o smult_curve25519_ref.o \

+	ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \

 	poly1305.o chacha.o cipher-chachapoly.o \

 	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \

 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \

@@ -250,6 +250,8 @@ clean:	regressclean

 	rm -f regress/unittests/match/test_match$(EXEEXT)

 	rm -f regress/unittests/utf8/*.o

 	rm -f regress/unittests/utf8/test_utf8$(EXEEXT)

+	rm -f regress/unittests/pkcs11/*.o

+	rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)

 	rm -f regress/misc/kexfuzz/*.o

 	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)

 	(cd openbsd-compat && $(MAKE) clean)

@@ -280,6 +282,8 @@ distclean:	regressclean

 	rm -f regress/unittests/match/test_match

 	rm -f regress/unittests/utf8/*.o

 	rm -f regress/unittests/utf8/test_utf8

+	rm -f regress/unittests/pkcs11/*.o

+	rm -f regress/unittests/pkcs11/test_pkcs11

 	rm -f regress/misc/kexfuzz/*.o

 	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)

 	(cd openbsd-compat && $(MAKE) distclean)

@@ -442,6 +446,7 @@ regress-prep:

 	$(MKDIR_P) `pwd`/regress/unittests/kex

 	$(MKDIR_P) `pwd`/regress/unittests/match

 	$(MKDIR_P) `pwd`/regress/unittests/utf8

+	$(MKDIR_P) `pwd`/regress/unittests/pkcs11

 	$(MKDIR_P) `pwd`/regress/misc/kexfuzz

 	[ -f `pwd`/regress/Makefile ] || \

 	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile

@@ -565,6 +570,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \

 	    regress/unittests/test_helper/libtest_helper.a \

 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

+UNITTESTS_TEST_PKCS11_OBJS=\

+	regress/unittests/pkcs11/tests.o

+

+regress/unittests/pkcs11/test_pkcs11$(EXEEXT): \

+    ${UNITTESTS_TEST_PKCS11_OBJS} \

+    regress/unittests/test_helper/libtest_helper.a libssh.a

+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_PKCS11_OBJS) \

+	    regress/unittests/test_helper/libtest_helper.a \

+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

+

 MISC_KEX_FUZZ_OBJS=\

 	regress/misc/kexfuzz/kexfuzz.o

@@ -585,6 +600,7 @@ regress-binaries: regress/modpipe$(EXEEXT) \

 	regress/unittests/kex/test_kex$(EXEEXT) \

 	regress/unittests/match/test_match$(EXEEXT) \

 	regress/unittests/utf8/test_utf8$(EXEEXT) \

+	regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \

 	regress/misc/kexfuzz/kexfuzz$(EXEEXT)

 tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)

diff --git a/authfd.c b/authfd.c

index 95348abf..5383df92 100644

--- a/authfd.c

+++ b/authfd.c

@@ -312,6 +312,8 @@ ssh_free_identitylist(struct ssh_identitylist *idl)

 		if (idl->comments != NULL)

 			free(idl->comments[i]);

 	}

+	free(idl->keys);

+	free(idl->comments);

 	free(idl);

 }

diff --git a/configure.ac b/configure.ac

index 30be6c18..82459746 100644

--- a/configure.ac

+++ b/configure.ac

@@ -1854,12 +1854,14 @@ AC_LINK_IFELSE(

 	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])

 ])

+SCARD_MSG="yes"

 disable_pkcs11=

 AC_ARG_ENABLE([pkcs11],

 	[  --disable-pkcs11        disable PKCS#11 support code [no]],

 	[

 		if test "x$enableval" = "xno" ; then

 			disable_pkcs11=1

+			SCARD_MSG="no"

 		fi

 	]

 )

@@ -1875,6 +1877,40 @@ if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then

 	)

 fi

+# Check whether we have a p11-kit, we got default provider on command line

+DEFAULT_PKCS11_PROVIDER_MSG="no"

+AC_ARG_WITH([default-pkcs11-provider],

+	[  --with-default-pkcs11-provider[[=PATH]]   Use default pkcs11 provider (p11-kit detected by default)],

+	[ if test "x$withval" != "xno" && test "x$disable_pkcs11" = "x"; then

+		if test "x$withval" = "xyes" ; then

+			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])

+			if test "x$PKGCONFIG" != "xno"; then

+				AC_MSG_CHECKING([if $PKGCONFIG knows about p11-kit])

+				if "$PKGCONFIG" "p11-kit-1"; then

+					AC_MSG_RESULT([yes])

+					use_pkgconfig_for_p11kit=yes

+				else

+					AC_MSG_RESULT([no])

+				fi

+			fi

+		else

+			PKCS11_PATH="${withval}"

+		fi

+		if test "x$use_pkgconfig_for_p11kit" = "xyes"; then

+			PKCS11_PATH=`$PKGCONFIG --variable=proxy_module p11-kit-1`

+		fi

+		AC_CHECK_FILE("$PKCS11_PATH",

+			[ AC_DEFINE_UNQUOTED([PKCS11_DEFAULT_PROVIDER], ["$PKCS11_PATH"], [Path to default PKCS#11 provider (p11-kit proxy)])

+			  DEFAULT_PKCS11_PROVIDER_MSG="$PKCS11_PATH"

+			],

+			[ AC_MSG_ERROR([Requested PKCS11 provided not found]) ]

+		)

+	else

+		AC_MSG_WARN([Needs PKCS11 support to enable default pkcs11 provider])

+	fi ]

+)

+

+

 # IRIX has a const char return value for gai_strerror()

 AC_CHECK_FUNCS([gai_strerror], [

 	AC_DEFINE([HAVE_GAI_STRERROR])

@@ -5256,6 +5292,7 @@ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"

 echo "                  BSD Auth support: $BSD_AUTH_MSG"

 echo "              Random number source: $RAND_MSG"

 echo "             Privsep sandbox style: $SANDBOX_STYLE"

+echo "          Default PKCS#11 provider: $DEFAULT_PKCS11_PROVIDER_MSG"

 echo ""

diff --git a/regress/Makefile b/regress/Makefile

index 925edf71..94bb25e9 100644

--- a/regress/Makefile

+++ b/regress/Makefile

@@ -109,9 +109,11 @@ CLEANFILES=	*.core actual agent-key.* authorized_keys_${USERNAME} \

 		known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \

 		modpipe netcat no_identity_config \

 		pidfile putty.rsa2 ready regress.log \

-		remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \

+		remote_pid revoked-* rsa rsa-agent rsa-agent.pub \

+		rsa-agent-cert.pub rsa.pub \

 		rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \

-		rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \

+		pkcs11*.crt pkcs11*.key \

+		pkcs11.info rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \

 		scp-ssh-wrapper.scp setuid-allowed sftp-server.log \

 		sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \

 		ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \

@@ -231,6 +233,7 @@ unit:

 		V="" ; \

 		test "x${USE_VALGRIND}" = "x" || \

 		    V=${.CURDIR}/valgrind-unit.sh ; \

+		$$V ${.OBJDIR}/unittests/pkcs11/test_pkcs11 ; \

 		$$V ${.OBJDIR}/unittests/sshbuf/test_sshbuf ; \

 		$$V ${.OBJDIR}/unittests/sshkey/test_sshkey \

 			-d ${.CURDIR}/unittests/sshkey/testdata ; \

diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh

index 5205d906..5ca49be5 100644

--- a/regress/agent-pkcs11.sh

+++ b/regress/agent-pkcs11.sh

@@ -29,6 +29,13 @@ fi

 test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"

+# requires ssh-agent built with correct path to ssh-pkcs11-helper

+# otherwise it fails to start the helper

+strings ${TEST_SSH_SSHAGENT} | grep "$TEST_SSH_SSHPKCS11HELPER"

+if [ $? -ne 0 ]; then

+	fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"

+fi

+

 # setup environment for softhsm2 token

 DIR=$OBJ/SOFTHSM

 rm -rf $DIR

@@ -113,7 +120,7 @@ else

 	done

 	trace "remove pkcs11 keys"

-	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1

+	${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1

 	r=$?

 	if [ $r -ne 0 ]; then

 		fail "ssh-add -e failed: exit code $r"

diff --git a/regress/pkcs11.sh b/regress/pkcs11.sh

new file mode 100644

index 00000000..19fc8169

--- /dev/null

+++ b/regress/pkcs11.sh

@@ -0,0 +1,352 @@

+#

+#  Copyright (c) 2017 Red Hat

+#

+#  Authors: Jakub Jelen <jjelen@redhat.com>

+#

+#  Permission to use, copy, modify, and distribute this software for any

+#  purpose with or without fee is hereby granted, provided that the above

+#  copyright notice and this permission notice appear in all copies.

+#

+#  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

+#  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

+#  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

+#  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

+#  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

+#  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

+#  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+

+tid="pkcs11 tests with soft token"

+

+try_token_libs() {

+	for _lib in "$@" ; do

+		if test -f "$_lib" ; then

+			verbose "Using token library $_lib"

+			TEST_SSH_PKCS11="$_lib"

+			return

+		fi

+	done

+	echo "skipped: Unable to find PKCS#11 token library"

+	exit 0

+}

+

+try_token_libs \

+	/usr/local/lib/softhsm/libsofthsm2.so \

+	/usr/lib64/pkcs11/libsofthsm2.so \

+	/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so

+

+TEST_SSH_PIN=1234

+TEST_SSH_SOPIN=12345678

+if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then

+	SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"

+	export SSH_PKCS11_HELPER

+fi

+

+test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"

+

+# requires ssh-agent built with correct path to ssh-pkcs11-helper

+# otherwise it fails to start the helper

+strings ${TEST_SSH_SSHAGENT} | grep "$TEST_SSH_SSHPKCS11HELPER"

+if [ $? -ne 0 ]; then

+	fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"

+fi

+

+# setup environment for softhsm token

+DIR=$OBJ/SOFTHSM

+rm -rf $DIR

+TOKEN=$DIR/tokendir

+mkdir -p $TOKEN

+SOFTHSM2_CONF=$DIR/softhsm2.conf

+export SOFTHSM2_CONF

+cat > $SOFTHSM2_CONF << EOF

+# SoftHSM v2 configuration file

+directories.tokendir = ${TOKEN}

+objectstore.backend = file

+# ERROR, WARNING, INFO, DEBUG

+log.level = DEBUG

+# If CKF_REMOVABLE_DEVICE flag should be set

+slots.removable = false

+EOF

+out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")

+slot=$(echo -- $out | sed 's/.* //')

+

+# prevent ssh-agent from calling ssh-askpass

+SSH_ASKPASS=/usr/bin/true

+export SSH_ASKPASS

+unset DISPLAY

+# We need interactive access to test PKCS# since it prompts for PIN

+sed -i 's/.*BatchMode.*//g' $OBJ/ssh_proxy

+

+# start command w/o tty, so ssh accepts pin from stdin (from agent-pkcs11.sh)

+notty() {

+	perl -e 'use POSIX; POSIX::setsid();

+	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"

+}

+

+trace "generating keys"

+ID1="02"

+ID2="04"

+RSA=${DIR}/RSA

+EC=${DIR}/EC

+openssl genpkey -algorithm rsa > $RSA

+openssl pkcs8 -nocrypt -in $RSA |\

+    softhsm2-util --slot "$slot" --label "SSH RSA Key $ID1" --id $ID1 \

+	--pin "$TEST_SSH_PIN" --import /dev/stdin

+openssl genpkey \

+    -genparam \

+    -algorithm ec \

+    -pkeyopt ec_paramgen_curve:prime256v1 |\

+    openssl genpkey \

+    -paramfile /dev/stdin > $EC

+openssl pkcs8 -nocrypt -in $EC |\

+    softhsm2-util --slot "$slot" --label "SSH ECDSA Key $ID2" --id $ID2 \

+	--pin "$TEST_SSH_PIN" --import /dev/stdin

+

+trace "List the keys in the ssh-keygen with PKCS#11 URIs"

+${SSHKEYGEN} -D ${TEST_SSH_PKCS11} > $OBJ/token_keys

+if [ $? -ne 0 ]; then

+	fail "keygen fails to enumerate keys on PKCS#11 token"

+fi

+grep "pkcs11:" $OBJ/token_keys > /dev/null

+if [ $? -ne 0 ]; then

+	fail "The keys from ssh-keygen do not contain PKCS#11 URI as a comment"

+fi

+tail -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER

+

+trace "Simple connect with ssh (without PKCS#11 URI)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -I ${TEST_SSH_PKCS11} \

+    -F $OBJ/ssh_proxy somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "ssh connect with pkcs11 failed (exit code $r)"

+fi

+

+trace "Connect with PKCS#11 URI"

+trace "  (second key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+    -i "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "ssh connect with PKCS#11 URI failed (exit code $r)"

+fi

+

+trace "  (first key should fail)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+     -i "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "ssh connect with PKCS#11 URI succeeded (should fail)"

+fi

+

+trace "Connect with PKCS#11 URI including PIN should not prompt"

+trace "  (second key should succeed)"

+${SSH} -F $OBJ/ssh_proxy -i \

+    "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}&pin-value=${TEST_SSH_PIN}" somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "ssh connect with PKCS#11 URI failed (exit code $r)"

+fi

+

+trace "  (first key should fail)"

+${SSH} -F $OBJ/ssh_proxy -i \

+    "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}&pin-value=${TEST_SSH_PIN}" somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "ssh connect with PKCS#11 URI succeeded (should fail)"

+fi

+

+trace "Connect with various filtering options in PKCS#11 URI"

+trace "  (by object label, second key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+    -i "pkcs11:object=SSH%20RSA%20Key%202?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "ssh connect with PKCS#11 URI failed (exit code $r)"

+fi

+

+trace "  (by object label, first key should fail)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+     -i "pkcs11:object=SSH%20RSA%20Key?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "ssh connect with PKCS#11 URI succeeded (should fail)"

+fi

+

+trace "  (by token label, second key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+    -i "pkcs11:id=${ID2};token=SoftToken%20(token)?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "ssh connect with PKCS#11 URI failed (exit code $r)"

+fi

+

+trace "  (by wrong token label, should fail)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+     -i "pkcs11:token=SoftToken?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "ssh connect with PKCS#11 URI succeeded (should fail)"

+fi

+

+

+

+

+trace "Test PKCS#11 URI specification in configuration files"

+echo "IdentityFile \"pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}\"" \

+    >> $OBJ/ssh_proxy

+trace "  (second key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "ssh connect with PKCS#11 URI in config failed (exit code $r)"

+fi

+

+trace "  (first key should fail)"

+head -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "ssh connect with PKCS#11 URI in config succeeded (should fail)"

+fi

+sed -i -e "/IdentityFile/d" $OBJ/ssh_proxy

+

+trace "Test PKCS#11 URI specification in configuration files with bogus spaces"

+echo "IdentityFile \"    pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}    \"" \

+    >> $OBJ/ssh_proxy

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "ssh connect with PKCS#11 URI with bogus spaces in config failed" \

+	    "(exit code $r)"

+fi

+sed -i -e "/IdentityFile/d" $OBJ/ssh_proxy

+

+

+trace "Combination of PKCS11Provider and PKCS11URI on commandline"

+trace "  (first key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+    -i "pkcs11:id=${ID1}" -I ${TEST_SSH_PKCS11} somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "ssh connect with PKCS#11 URI and provider combination" \

+	    "failed (exit code $r)"

+fi

+

+trace "Regress: Missing provider in PKCS11URI option"

+${SSH} -F $OBJ/ssh_proxy \

+    -o IdentityFile=\"pkcs11:token=segfault\" somehost exit 5

+r=$?

+if [ $r -eq 139 ]; then

+	fail "ssh connect with missing provider_id from configuration option" \

+	    "crashed (exit code $r)"

+fi

+

+

+trace "SSH Agent can work with PKCS#11 URI"

+trace "start the agent"

+eval `${SSHAGENT} -s -P "${OBJ}/*"` > /dev/null

+

+r=$?

+if [ $r -ne 0 ]; then

+	fail "could not start ssh-agent: exit code $r"

+else

+	trace "add whole provider to agent"

+	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

+	    "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add failed with whole provider: exit code $r"

+	fi

+

+	trace " pkcs11 list via agent (all keys)"

+	${SSHADD} -l > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add -l failed with whole provider: exit code $r"

+	fi

+

+	trace " pkcs11 connect via agent (all keys)"

+	${SSH} -F $OBJ/ssh_proxy somehost exit 5

+	r=$?

+	if [ $r -ne 5 ]; then

+		fail "ssh connect failed with whole provider (exit code $r)"

+	fi

+

+	trace " remove pkcs11 keys (all keys)"

+	${SSHADD} -d "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add -d failed with whole provider: exit code $r"

+	fi

+

+	trace "add only first key to the agent"

+	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

+	    "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add failed with first key: exit code $r"

+	fi

+

+	trace " pkcs11 connect via agent (first key)"

+	${SSH} -F $OBJ/ssh_proxy somehost exit 5

+	r=$?

+	if [ $r -ne 5 ]; then

+		fail "ssh connect failed with first key (exit code $r)"

+	fi

+

+	trace " remove first pkcs11 key"

+	${SSHADD} -d "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" \

+	    > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add -d failed with first key: exit code $r"

+	fi

+

+	trace "add only second key to the agent"

+	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

+	    "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add failed with second key: exit code $r"

+	fi

+

+	trace " pkcs11 connect via agent (second key should fail)"

+	${SSH} -F $OBJ/ssh_proxy somehost exit 5

+	r=$?

+	if [ $r -eq 5 ]; then

+		fail "ssh connect passed without key (should fail)"

+	fi

+

+	trace "add also the first key to the agent"

+	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

+	    "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add failed with first key: exit code $r"

+	fi

+

+	trace " remove second pkcs11 key"

+	${SSHADD} -d "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \

+	    > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add -d failed with second key: exit code $r"

+	fi

+

+	trace " remove already-removed pkcs11 key should fail"

+	${SSHADD} -d "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \

+	    > /dev/null 2>&1

+	r=$?

+	if [ $r -eq 0 ]; then

+		fail "ssh-add -d passed with non-existing key (should fail)"

+	fi

+

+	trace " pkcs11 connect via agent (the first key should be still usable)"

+	${SSH} -F $OBJ/ssh_proxy somehost exit 5

+	r=$?

+	if [ $r -ne 5 ]; then

+		fail "ssh connect failed with first key (after removing second): exit code $r"

+	fi

+

+	trace "kill agent"

+	${SSHAGENT} -k > /dev/null

+fi

diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile

index e464b085..a0e5a37c 100644

--- a/regress/unittests/Makefile

+++ b/regress/unittests/Makefile

@@ -2,6 +2,6 @@

 REGRESS_FAIL_EARLY?=	yes

 SUBDIR=	test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion

-SUBDIR+=authopt

+SUBDIR+=pkcs11 authopt

 .include <bsd.subdir.mk>

diff --git a/regress/unittests/pkcs11/tests.c b/regress/unittests/pkcs11/tests.c

new file mode 100644

index 00000000..b637cb13

--- /dev/null

+++ b/regress/unittests/pkcs11/tests.c

@@ -0,0 +1,337 @@

+/*

+ * Copyright (c) 2017 Red Hat

+ *

+ * Authors: Jakub Jelen <jjelen@redhat.com>

+ *

+ * Permission to use, copy, modify, and distribute this software for any

+ * purpose with or without fee is hereby granted, provided that the above

+ * copyright notice and this permission notice appear in all copies.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+ */

+

+#include "includes.h"

+

+#include <locale.h>

+#include <string.h>

+

+#include "../test_helper/test_helper.h"

+

+#include "sshbuf.h"

+#include "ssh-pkcs11-uri.h"

+

+#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL)

+

+/* prototypes are not public -- specify them here internally for tests */

+struct sshbuf *percent_encode(const char *, size_t, char *);

+int percent_decode(char *, char **);

+

+void

+compare_uri(struct pkcs11_uri *a, struct pkcs11_uri *b)

+{

+	ASSERT_PTR_NE(a, NULL);

+	ASSERT_PTR_NE(b, NULL);

+	ASSERT_SIZE_T_EQ(a->id_len, b->id_len);

+	ASSERT_MEM_EQ(a->id, b->id, a->id_len);

+	if (b->object != NULL)

+		ASSERT_STRING_EQ(a->object, b->object);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->object, b->object);

+	if (b->module_path != NULL)

+		ASSERT_STRING_EQ(a->module_path, b->module_path);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->module_path, b->module_path);

+	if (b->token != NULL)

+		ASSERT_STRING_EQ(a->token, b->token);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->token, b->token);

+	if (b->manuf != NULL)

+		ASSERT_STRING_EQ(a->manuf, b->manuf);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->manuf, b->manuf);

+	if (b->lib_manuf != NULL)

+		ASSERT_STRING_EQ(a->lib_manuf, b->lib_manuf);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->lib_manuf, b->lib_manuf);

+}

+

+void

+check_parse_rv(char *uri, struct pkcs11_uri *expect, int expect_rv)

+{

+	char *buf = NULL, *str;

+	struct pkcs11_uri *pkcs11uri = NULL;

+	int rv;

+

+	if (expect_rv == 0)

+		str = "Valid";

+	else

+		str = "Invalid";

+	asprintf(&buf, "%s PKCS#11 URI parsing: %s", str, uri);

+	TEST_START(buf);

+	free(buf);

+	pkcs11uri = pkcs11_uri_init();

+	rv = pkcs11_uri_parse(uri, pkcs11uri);

+	ASSERT_INT_EQ(rv, expect_rv);

+	if (rv == 0) /* in case of failure result is undefined */

+		compare_uri(pkcs11uri, expect);

+	pkcs11_uri_cleanup(pkcs11uri);

+	free(expect);

+	TEST_DONE();

+}

+

+void

+check_parse(char *uri, struct pkcs11_uri *expect)

+{

+	check_parse_rv(uri, expect, 0);

+}

+

+struct pkcs11_uri *

+compose_uri(unsigned char *id, size_t id_len, char *token, char *lib_manuf,

+    char *manuf, char *module_path, char *object, char *pin)

+{

+	struct pkcs11_uri *uri = pkcs11_uri_init();

+	if (id_len > 0) {

+		uri->id_len = id_len;

+		uri->id = id;

+	}

+	uri->module_path = module_path;

+	uri->token = token;

+	uri->lib_manuf = lib_manuf;

+	uri->manuf = manuf;

+	uri->object = object;

+	uri->pin = pin;

+	return uri;

+}

+

+static void

+test_parse_valid(void)

+{

+	/* path arguments */

+	check_parse("pkcs11:id=%01",

+	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL));

+	check_parse("pkcs11:id=%00%01",

+	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL));

+	check_parse("pkcs11:token=SSH%20Keys",

+	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));

+	check_parse("pkcs11:library-manufacturer=OpenSC",

+	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL));

+	check_parse("pkcs11:manufacturer=piv_II",

+	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL));

+	check_parse("pkcs11:object=SIGN%20Key",

+	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "SIGN Key", NULL));

+	/* query arguments */

+	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",

+	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));

+	check_parse("pkcs11:?pin-value=123456",

+	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "123456"));

+

+	/* combinations */

+	/* ID SHOULD be percent encoded */

+	check_parse("pkcs11:token=SSH%20Key;id=0",

+	    compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL, NULL));

+	check_parse(

+	    "pkcs11:manufacturer=CAC?module-path=/usr/lib64/p11-kit-proxy.so",

+	    compose_uri(NULL, 0, NULL, NULL, "CAC",

+	    "/usr/lib64/p11-kit-proxy.so", NULL, NULL));

+	check_parse(

+	    "pkcs11:object=RSA%20Key?module-path=/usr/lib64/pkcs11/opencryptoki.so",

+	    compose_uri(NULL, 0, NULL, NULL, NULL,

+	    "/usr/lib64/pkcs11/opencryptoki.so", "RSA Key", NULL));