From 32d17447a258188b2d534bcb0bf65a659ba7b7d0 Mon Sep 17 00:00:00 2001
From: mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Fri, 29 Aug 2008 12:11:34 +0000
Subject: Initial import.

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../test/java/at/gv/egiz/smcc/SMCCApplication.java | 46 ++++++++++++++++
 smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java | 63 ++++++++++++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java

(limited to 'smcc/src/test/java')

diff --git a/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java b/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
new file mode 100644
index 00000000..5f4bb67e
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
@@ -0,0 +1,46 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.util.Locale;
+
+import at.gv.egiz.smcc.util.SMCCHelper;
+
+public class SMCCApplication {
+
+  /**
+   * @param args
+   */
+  public static void main(String[] args) {
+    
+    SignatureCard sc = null;
+    SMCCHelper smccHelper = new SMCCHelper();
+    while (smccHelper.getResultCode() != SMCCHelper.CARD_FOUND) {
+      System.out.println("Did not get a signature card ... "+smccHelper.getResultCode());
+      smccHelper.update();
+      try {
+        Thread.sleep(1000);
+      } catch (InterruptedException e) {
+        // TODO Auto-generated catch block
+        e.printStackTrace();
+      }
+    }
+    sc = smccHelper.getSignatureCard(Locale.getDefault());
+    System.out.println("Found supported siganture card: "+sc);
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
new file mode 100644
index 00000000..5448fee2
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
@@ -0,0 +1,63 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import at.gv.egiz.smcc.SignatureCard.KeyboxName;
+
+public class SWCardTest implements PINProvider {
+
+  SWCard swCard = new SWCard();
+  
+  public static void main(String[] args) throws Exception {
+    
+    SWCardTest swCardTest = new SWCardTest();
+    swCardTest.test();
+    
+  }
+  
+  public void test() throws SignatureCardException, NoSuchAlgorithmException {
+    
+    swCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
+    swCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
+    
+    BigInteger t = BigInteger.valueOf(System.currentTimeMillis());
+
+    MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
+    byte[] hash = messageDigest.digest(t.toByteArray());
+    
+    byte[] signature; 
+    signature = swCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR, this);
+    System.out.println(SignatureCardFactory.toString(signature));
+
+    signature = swCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR, this);
+    System.out.println(SignatureCardFactory.toString(signature));
+    
+    byte[] infobox = swCard.getInfobox("IdentityLink", this, null);
+    System.out.println(SignatureCardFactory.toString(infobox));
+
+  }
+
+  @Override
+  public String providePIN(PINSpec spec, int retries) {
+    return "buerger";
+  }
+  
+}
-- 
cgit v1.2.3


From c2ae3db1bc6dcb8ba3eb3461c05e293917c004ca Mon Sep 17 00:00:00 2001
From: mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Thu, 30 Oct 2008 10:33:29 +0000
Subject: Updated SMCC to use exclusive access and to throw exceptions upon
 locked or not activated cards. Improved locale support in the security layer
 request and response processing. Fixed issue in STAL which prevented the use
 of RSA-SHA1 signatures. Added additional parameters to the applet test pages.

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@128 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../main/java/at/gv/egiz/bku/gui/PinDocument.java  |   2 +-
 .../egiz/bku/online/webapp/BKURequestHandler.java  |  20 +-
 BKUOnline/src/main/webapp/HTTP-ohne.html           |  11 +-
 BKUOnline/src/main/webapp/appletPage.jsp           |  29 +-
 .../at/gv/egiz/stal/util/JCEAlgorithmNames.java    |   4 +-
 .../gv/egiz/bku/binding/HTTPBindingProcessor.java  |   3 +-
 .../gv/egiz/bku/slcommands/SLCommandContext.java   |  17 +-
 .../impl/CreateXMLSignatureCommandImpl.java        |   4 +-
 .../egiz/bku/slcommands/impl/ErrorResultImpl.java  |  42 ++-
 .../slcommands/impl/InfoboxReadCommandImpl.java    |   2 +-
 .../gv/egiz/bku/slcommands/impl/SLResultImpl.java  |   8 +-
 .../bku/slcommands/impl/ErrorResultImplTest.java   |   3 +-
 smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java   | 348 ++++++++++++---------
 .../at/gv/egiz/smcc/AbstractSignatureCard.java     | 169 +++++++---
 .../at/gv/egiz/smcc/FileNotFoundException.java     |  38 +++
 .../main/java/at/gv/egiz/smcc/LockedException.java |  38 +++
 .../at/gv/egiz/smcc/NotActivatedException.java     |  44 +++
 .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java | 339 ++++++++++++--------
 smcc/src/main/java/at/gv/egiz/smcc/SWCard.java     |  79 ++++-
 .../at/gv/egiz/smcc/SignatureCardException.java    |   2 +-
 .../java/at/gv/egiz/smcc/SignatureCardFactory.java | 223 +++++++++++--
 .../java/at/gv/egiz/smcc/util/SmartCardIO.java     |   3 +-
 .../test/java/at/gv/egiz/smcc/STARCOSCardTest.java |  92 ++++++
 .../bku/smccstal/InfoBoxReadRequestHandler.java    |   8 +
 .../gv/egiz/bku/smccstal/SignRequestHandler.java   |  10 +-
 25 files changed, 1149 insertions(+), 389 deletions(-)
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/FileNotFoundException.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/LockedException.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/NotActivatedException.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java

(limited to 'smcc/src/test/java')

diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/PinDocument.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/PinDocument.java
index 8ae9d7a3..2054ae86 100644
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/PinDocument.java
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/PinDocument.java
@@ -46,7 +46,7 @@ class PINDocument extends PlainDocument {
 
         @Override
         public void insertString(int offs, String str, AttributeSet a) throws BadLocationException {
-            if (pinSpec.getMaxLength() >= (getLength() + str.length())) {
+            if (pinSpec.getMaxLength() < 0 || pinSpec.getMaxLength() >= (getLength() + str.length())) {
                 boolean matches = true;
                 for (int i = 0; i < str.length(); i++) {
                     Matcher m = pinPattern.matcher(str.substring(i, i + 1));
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
index 6f3b9d7f..9092e3f9 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
@@ -44,6 +44,8 @@ import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage;
  */
 public class BKURequestHandler extends SpringBKUServlet {
 
+  private static final long serialVersionUID = 1L;
+
   public final static String REDIRECT_URL = "appletPage.jsp";
 
   protected Log log = LogFactory.getLog(BKURequestHandler.class);
@@ -105,6 +107,8 @@ public class BKURequestHandler extends SpringBKUServlet {
     String width = getStringFromStream(bindingProcessor.getFormData("appletWidth"), charset);
     String height = getStringFromStream(bindingProcessor.getFormData("appletHeight"), charset);
     String background = getStringFromStream(bindingProcessor.getFormData("appletBackground"), charset);
+    String guiStyle = getStringFromStream(bindingProcessor.getFormData("appletGuiStyle"), charset);
+    String hashDataDisplay = getStringFromStream(bindingProcessor.getFormData("appletHashDataDisplay"), charset);
     if (width != null) {
       try {
         log.trace("Found applet width parameter: " + width);
@@ -124,12 +128,16 @@ public class BKURequestHandler extends SpringBKUServlet {
       }
     }
     if (background != null) {
-      try {
-        log.trace("Found applet background parameter: " + background);
-        session.setAttribute("appletBackground", background);
-      } catch (NumberFormatException nfe) {
-        log.warn(nfe);
-      }
+      log.trace("Found applet background parameter: " + background);
+      session.setAttribute("appletBackground", background);
+    }
+    if (guiStyle != null) {
+      log.trace("Found applet GUI style parameter: " + guiStyle);
+      session.setAttribute("appletGuiStyle", guiStyle);
+    }
+    if (hashDataDisplay != null) {
+      log.trace("Found applet hash data display parameter: " + hashDataDisplay);
+      session.setAttribute("appletHashDataDisplay", hashDataDisplay);
     }
 
     resp.sendRedirect(REDIRECT_URL);
diff --git a/BKUOnline/src/main/webapp/HTTP-ohne.html b/BKUOnline/src/main/webapp/HTTP-ohne.html
index 1923113e..044432ce 100644
--- a/BKUOnline/src/main/webapp/HTTP-ohne.html
+++ b/BKUOnline/src/main/webapp/HTTP-ohne.html
@@ -92,8 +92,17 @@ legend {
   name="appletHeight" value="130" id="appletHeight">
 <p><label for="appletBackground">Applet Background</label> <input
   name="appletBackground" value="" id="appletBackground">
+<p>
+	<label for="appletGuiStyle">GUI Style</label> 
+	<input type="radio" name="appletGuiStyle" value="simple" checked="checked">simple
+	<input type="radio" name="appletGuiStyle" value="advanced">advanced
+</p>
+<p>
+	<label for="appletHashDataDisplay">GUI Style</label> 
+	<input type="radio" name="appletHashDataDisplay" value="external" checked="checked">external
+	<input type="radio" name="appletHashDataDisplay" value="internal">internal
+</p>
 
-</textarea></p>
 <!-- 
 <p><label for="RedirectURL">RedirectURL</label> <input
 	name="RedirectURL" value="" id="RedirectURL"></p>
diff --git a/BKUOnline/src/main/webapp/appletPage.jsp b/BKUOnline/src/main/webapp/appletPage.jsp
index 950141c4..ffb67828 100644
--- a/BKUOnline/src/main/webapp/appletPage.jsp
+++ b/BKUOnline/src/main/webapp/appletPage.jsp
@@ -20,7 +20,7 @@
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<title>MOCCA Appletpage</title>
+<title>MOCCA Applet</title>
 <link rel="shortcut icon" href="img/favicon.ico" type="image/x-icon">
 <script type="text/javascript" src="js/deployJava.js"></script>
 <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
@@ -29,19 +29,18 @@
 </head>
 <body>
 <%
-  int width = session.getAttribute("appletWidth") == null
-					? 190
-					: (Integer) session.getAttribute("appletWidth");
-			int height = session.getAttribute("appletHeight") == null
-					? 130
-					: (Integer) session.getAttribute("appletHeight");
-			String backgroundImg = (String) session
-					.getAttribute("appletBackground");
+  int width = session.getAttribute("appletWidth") == null ? 190
+      : (Integer) session.getAttribute("appletWidth");
+  int height = session.getAttribute("appletHeight") == null ? 130
+      : (Integer) session.getAttribute("appletHeight");
+  String backgroundImg = (String) session.getAttribute("appletBackground");
+  String guiStyle = (String) session.getAttribute("appletGuiStyle");
+  String hashDataDisplay = (String) session.getAttribute("appletHashDataDisplay");
 %>
 <script>
 	if (!deployJava.versionCheck('1.6.0_04+')) {
 		document
-				.write('<b>Diese Anwendung benötigt die Java Platform Version 1.6.0 oder höher.</b>' + '<input type="submit" value="Java Platform 1.6.0_02 installieren" onclick="deployJava.installLatestJRE();">');
+				.write('<b>Diese Anwendung benötigt die Java Platform Version 1.6.0_04 oder höher.</b>' + '<input type="submit" value="Java Platform 1.6.0_02 installieren" onclick="deployJava.installLatestJRE();">');
 	} else {
 		var attributes = {
 			codebase :'applet',
@@ -51,15 +50,15 @@
 			height :<%=height%>
 		};
 		var parameters = {
-                        GuiStyle : 'simple',
+            GuiStyle : '<%=guiStyle%>',
 			Background : '<%=backgroundImg%>',
-			WSDL_URL :'../stal?wsdl',
-                        HashDataDisplay : 'external',
-                        HashDataURL : '../hashDataInput',
+			WSDL_URL : '../stal?wsdl',
+            HashDataDisplay : '<%=hashDataDisplay%>',
+            HashDataURL : '../hashDataInput',
 			SessionID : '<%=session.getId()%>',
 			RedirectURL : '../bkuResult'
 		};
-		var version = '1.6.0_02';
+		var version = '1.6.0_04';
 		deployJava.runApplet(attributes, parameters, version);
 	}
 </script>
diff --git a/STAL/src/main/java/at/gv/egiz/stal/util/JCEAlgorithmNames.java b/STAL/src/main/java/at/gv/egiz/stal/util/JCEAlgorithmNames.java
index 7e8a767e..c162eed4 100644
--- a/STAL/src/main/java/at/gv/egiz/stal/util/JCEAlgorithmNames.java
+++ b/STAL/src/main/java/at/gv/egiz/stal/util/JCEAlgorithmNames.java
@@ -31,7 +31,7 @@ public class JCEAlgorithmNames {
   
   public static String[] SHA_1_ALGORITMS = {
       "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1",
-      "http://www.w3.org/2000/09/xmldsig#sha1" };
+      "http://www.w3.org/2000/09/xmldsig#rsa-sha1" };
 
   private static JCEAlgorithmNames instance = new JCEAlgorithmNames();
 
@@ -42,7 +42,7 @@ public class JCEAlgorithmNames {
   }
 
   public static String getJCEHashName(String xmlAlgorithmURI) {
-    return instance.hashNameMap.get(xmlAlgorithmURI);
+     return instance.hashNameMap.get(xmlAlgorithmURI);
   }
 
   public void registerHash(String xmlAlgorithmURI, String jceName) {
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessor.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessor.java
index 5e44e82b..4a22874c 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessor.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessor.java
@@ -564,6 +564,7 @@ public class HTTPBindingProcessor extends AbstractBindingProcessor implements
 		SLCommandContext commandCtx = new SLCommandContext();
 		commandCtx.setSTAL(getSTAL());
 		commandCtx.setURLDereferencerContext(new SimpleFormDataContextImpl(this));
+		commandCtx.setLocale(locale);
 		slCommand = SLCommandFactory.getInstance().createSLCommand(source,
 				commandCtx);
 		log.debug("Created new command: " + slCommand);
@@ -731,7 +732,7 @@ public class HTTPBindingProcessor extends AbstractBindingProcessor implements
 	protected void handleBindingProcessorError(OutputStream os, String encoding,
 			Templates templates) throws IOException {
 		log.debug("Writing error as result");
-		ErrorResultImpl error = new ErrorResultImpl(bindingProcessorError);
+		ErrorResultImpl error = new ErrorResultImpl(bindingProcessorError, locale);
 		error.writeTo(new StreamResult(new OutputStreamWriter(os, encoding)), templates);
 	}
 
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/SLCommandContext.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/SLCommandContext.java
index c95736bd..5af2afac 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/SLCommandContext.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/SLCommandContext.java
@@ -16,13 +16,17 @@
 */
 package at.gv.egiz.bku.slcommands;
 
+import java.util.Locale;
+
 import at.gv.egiz.bku.utils.urldereferencer.URLDereferencerContext;
 import at.gv.egiz.stal.STAL;
 
 public class SLCommandContext {
   
   private STAL stal;
-  private URLDereferencerContext urlDerefCtx;
+  private URLDereferencerContext urlDerefCtx;
+  
+  private Locale locale;
 
   public void setSTAL(STAL aStal) {
     this.stal = aStal;
@@ -38,5 +42,14 @@ public class SLCommandContext {
 
   public URLDereferencerContext getURLDereferencerContext() {
     return urlDerefCtx;
-  }
+  }
+
+  public Locale getLocale() {
+    return locale;
+  }
+
+  public void setLocale(Locale locale) {
+    this.locale = locale;
+  }
+  
 }
\ No newline at end of file
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImpl.java
index 628326cf..6462bcf6 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImpl.java
@@ -216,8 +216,8 @@ public class CreateXMLSignatureCommandImpl extends SLCommandImpl<CreateXMLSignat
       
       return new CreateXMLSignatureResultImpl(signature.getDocument());
       
-    } catch (SLException e) {
-      return new ErrorResultImpl(e);
+    } catch (SLException e) {
+      return new ErrorResultImpl(e, cmdCtx.getLocale());
     } 
   }
 
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/ErrorResultImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/ErrorResultImpl.java
index 176ba001..5d0f0de0 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/ErrorResultImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/ErrorResultImpl.java
@@ -16,6 +16,8 @@
 */
 package at.gv.egiz.bku.slcommands.impl;
 
+import java.util.Locale;
+
 import javax.xml.transform.Result;
 import javax.xml.transform.Templates;
 
@@ -32,22 +34,34 @@ public class ErrorResultImpl extends SLResultImpl implements ErrorResult {
   /**
    * The exception containing information provided in the <code>ErrorResponse</code>.
    */
-  protected SLException slException;
-
-  /**
-   * Creates a new instance of this ErrorResultImpl with the given
-   * <code>slException</code> containing information provided in the
-   * <code>ErrorResponse</code>.
-   * 
-   * @param slException the exception 
-   */
-  public ErrorResultImpl(SLException slException) {
-    this.slException = slException;
-  }
-
+  protected SLException slException;
+  
+  /**
+   * The locale to be used for rendering an <code>ErrorResponse</code>.
+   */
+  protected Locale locale;
+  
+  /**
+   * Creates a new instance of this ErrorResultImpl with the given
+   * <code>slException</code> containing information provided in the
+   * <code>ErrorResponse</code> and the <code>locale</code> for rendering
+   * the <code>ErrorResponse</code>.
+   * 
+   * @param slException the exception
+   * @param locale the locale
+   */
+  public ErrorResultImpl(SLException slException, Locale locale) {
+    this.slException = slException;
+    this.locale = locale;
+  }
+
   @Override
   public void writeTo(Result result, Templates templates) {
-    writeErrorTo(slException, result, templates);
+    if (locale == null) {
+      writeErrorTo(slException, result, templates);
+    } else {
+      writeErrorTo(slException, result, templates, locale);
+    }
   }
   
 }
\ No newline at end of file
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/InfoboxReadCommandImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/InfoboxReadCommandImpl.java
index d23c0598..c7bb5205 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/InfoboxReadCommandImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/InfoboxReadCommandImpl.java
@@ -279,7 +279,7 @@ public class InfoboxReadCommandImpl extends SLCommandImpl<InfoboxReadRequestType
         throw new SLCommandException(4000);
       }
     } catch (SLCommandException e) {
-      return new ErrorResultImpl(e);
+      return new ErrorResultImpl(e, cmdCtx.getLocale());
     }
   }
  
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/SLResultImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/SLResultImpl.java
index 57309182..7306b237 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/SLResultImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/SLResultImpl.java
@@ -16,6 +16,8 @@
 */
 package at.gv.egiz.bku.slcommands.impl;
 
+import java.util.Locale;
+
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
 import javax.xml.bind.JAXBException;
@@ -181,6 +183,10 @@ public abstract class SLResultImpl implements SLResult {
   }
   
   protected void writeErrorTo(SLException slException, Result result, Templates templates) {
+    writeErrorTo(slException, result, templates, Locale.getDefault());
+  }
+  
+  protected void writeErrorTo(SLException slException, Result result, Templates templates, Locale locale) {
     
     TransformerHandler transformerHandler = null;
     if (templates != null) {
@@ -195,7 +201,7 @@ public abstract class SLResultImpl implements SLResult {
     ObjectFactory factory = new ObjectFactory();
     ErrorResponseType responseType = factory.createErrorResponseType();
     responseType.setErrorCode(slException.getErrorCode());
-    responseType.setInfo(slException.getDetailedMsg());
+    responseType.setInfo(slException.getLocalizedMessage(locale));
     JAXBElement<ErrorResponseType> response = factory.createErrorResponse(responseType);
     
     Marshaller marshaller = getMarshaller();
diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/ErrorResultImplTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/ErrorResultImplTest.java
index 8455e934..f10ca520 100644
--- a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/ErrorResultImplTest.java
+++ b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/ErrorResultImplTest.java
@@ -17,6 +17,7 @@
 package at.gv.egiz.bku.slcommands.impl;
 
 import java.io.ByteArrayOutputStream;
+import java.util.Locale;
 
 import javax.xml.transform.stream.StreamResult;
 
@@ -31,7 +32,7 @@ public class ErrorResultImplTest {
   public void writeTo() {
     
     SLException slException = new SLException(0,"test.noerror", null);
-    ErrorResult errorResult = new ErrorResultImpl(slException);
+    ErrorResult errorResult = new ErrorResultImpl(slException, Locale.getDefault());
     
     ByteArrayOutputStream stream = new ByteArrayOutputStream();
     StreamResult result = new StreamResult(stream);
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
index abe086ee..9e56701f 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
@@ -30,12 +30,18 @@ package at.gv.egiz.smcc;
 
 import java.nio.charset.Charset;
 
+import javax.smartcardio.Card;
 import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
 import javax.smartcardio.CommandAPDU;
 import javax.smartcardio.ResponseAPDU;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
+  
+  private static Log log = LogFactory.getLog(ACOSCard.class);
 
   public static final byte[] AID_DEC = new byte[] { (byte) 0xA0, (byte) 0x00,
       (byte) 0x00, (byte) 0x01, (byte) 0x18, (byte) 0x45, (byte) 0x4E };
@@ -97,7 +103,145 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
     super("at/gv/egiz/smcc/ACOSCard");
   }
 
-  byte[] selectFileAID(byte[] fid) throws CardException, SignatureCardException {
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.SignatureCard#getCertificate(at.gv.egiz.smcc.SignatureCard.KeyboxName)
+   */
+  public byte[] getCertificate(KeyboxName keyboxName)
+      throws SignatureCardException {
+  
+    byte[] aid;
+    byte[] efc;
+    int maxsize;
+    if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
+      aid = AID_SIG;
+      efc = EF_C_CH_DS;
+      maxsize = EF_C_CH_DS_MAX_SIZE;
+    } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
+      aid = AID_DEC;
+      efc = EF_C_CH_EKEY;
+      maxsize = EF_C_CH_EKEY_MAX_SIZE;
+    } else {
+      throw new IllegalArgumentException("Keybox " + keyboxName
+          + " not supported.");
+    }
+
+    log.debug("Get certificate for keybox '" + keyboxName.getKeyboxName() + "'" +
+        " (AID=" + toString(aid) + " EF=" + toString(efc) + ").");
+    
+    try {
+      Card card = getCardChannel().getCard();
+      try {
+        card.beginExclusive();
+        return readTLVFile(aid, efc, maxsize + 15000);
+      } catch (FileNotFoundException e) {
+        // if certificate is not present, 
+        // the citizen card application has not been activated
+        throw new NotActivatedException();
+      } finally {
+        card.endExclusive();
+      }
+    } catch (CardException e) {
+      throw new SignatureCardException("Failed to get exclusive card access.");
+    }
+
+    
+  }
+
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.SignatureCard#getInfobox(java.lang.String, at.gv.egiz.smcc.PINProvider, java.lang.String)
+   */
+  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+      throws SignatureCardException {
+  
+    if ("IdentityLink".equals(infobox)) {
+  
+      PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("inf.pin.name"));
+      
+      try {
+        Card card = getCardChannel().getCard();
+        try {
+          card.beginExclusive();
+          return readTLVFilePIN(AID_DEC, EF_INFOBOX, KID_PIN_INF, provider,
+              spec, EF_INFOBOX_MAX_SIZE);
+        } catch (FileNotFoundException e) {
+          // if certificate is not present, 
+          // the citizen card application has not been activated
+          throw new NotActivatedException();
+        } finally {
+          card.endExclusive();
+        }
+      } catch (CardException e) {
+        throw new SignatureCardException("Failed to get exclusive card access.");
+      }
+  
+    } else {
+      throw new IllegalArgumentException("Infobox '" + infobox
+          + "' not supported.");
+    }
+  
+  }
+
+  public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
+      PINProvider provider) throws SignatureCardException {
+  
+    if (hash.length != 20) {
+      throw new IllegalArgumentException("Hash value must be of length 20.");
+    }
+  
+    try {
+      Card card = getCardChannel().getCard();
+      try {
+        card.beginExclusive();
+        
+        if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
+
+          // SELECT DF
+          selectFileFID(DF_SIG);
+          // VERIFY
+          verifyPIN(provider, new PINSpec(6, 10, "[0-9]", getResourceBundle()
+              .getString("sig.pin.name")), KID_PIN_SIG);
+          // MSE: SET DST
+          mseSetDST(0x81, 0xb6, DST_SIG);
+          // PSO: HASH
+          psoHash(hash);
+          // PSO: COMPUTE DIGITAL SIGNATURE
+          return psoComputDigitalSiganture();
+      
+        } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
+
+          // SELECT DF
+          selectFileFID(DF_DEC);
+          // VERIFY
+          verifyPIN(provider, new PINSpec(4, 4, "[0-9]", getResourceBundle()
+              .getString("dec.pin.name")), KID_PIN_DEC);
+          // MSE: SET DST
+          mseSetDST(0x41, 0xa4, DST_DEC);
+          // INTERNAL AUTHENTICATE
+          return internalAuthenticate(hash);
+
+          
+          // 00 88 10 00 23 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 54 26 F0 EA  AF EA F0 4E D4 A1 AD BF 66 D4 A5 9B 45 6F AF 79 00
+          // 00 88 10 00 23 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 DF 8C AB 8F E2 AD AC 7B 5A AF BE E9 44 5E 95 99 FA AF 2F 48 00
+          
+        } else {
+          throw new IllegalArgumentException("KeyboxName '" + keyboxName
+              + "' not supported.");
+        }
+        
+      } catch (FileNotFoundException e) {
+        // if certificate is not present, 
+        // the citizen card application has not been activated
+        throw new NotActivatedException();
+      } finally {
+        card.endExclusive();
+      }
+    } catch (CardException e) {
+      throw new SignatureCardException("Failed to get exclusive card access.");
+    }
+
+  }
+
+  protected byte[] selectFileAID(byte[] fid) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x04,
         0x00, fid, 256));
@@ -109,18 +253,40 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
     }
   }
 
-  byte[] selectFileFID(byte[] fid) throws CardException, SignatureCardException {
+  protected ResponseAPDU selectFileFID(byte[] fid) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x00,
+    return transmit(channel, new CommandAPDU(0x00, 0xA4, 0x00,
         0x00, fid, 256));
-    if (resp.getSW() == 0x6a82) {
-      throw new SignatureCardException("Failed to select file (FID="
-          + toString(fid) + "): SW=" + Integer.toHexString(resp.getSW()) + ")");
+  }
+
+  protected int verifyPIN(String pin, byte kid) throws CardException, SignatureCardException {
+    
+    CardChannel channel = getCardChannel();
+
+    byte[] asciiPIN = pin.getBytes(Charset.forName("ASCII"));
+    byte[] encodedPIN = new byte[8];
+    System.arraycopy(asciiPIN, 0, encodedPIN, 0, Math.min(asciiPIN.length,
+        encodedPIN.length));
+
+    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x20, 0x00,
+        kid, encodedPIN), false);
+    
+    if (resp.getSW() == 0x63c0) {
+      throw new LockedException("PIN locked.");
+    } else if (resp.getSW1() == 0x63 && resp.getSW2() >> 4 == 0xc) {
+      // return number of possible retries
+      return resp.getSW2() & 0x0f;
+    } else if (resp.getSW() == 0x6983) {
+      throw new NotActivatedException();
+    } else if (resp.getSW() == 0x9000) {
+      return -1;
     } else {
-      return resp.getBytes();
+      throw new SignatureCardException("Failed to verify pin: SW="
+          + Integer.toHexString(resp.getSW()) + ".");
     }
-  }
 
+  }
+  
   /**
    * 
    * @param pinProvider
@@ -128,56 +294,30 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
    *          the PIN spec to be given to the pinProvider
    * @param kid
    *          the KID (key identifier) of the PIN to be verified
-   * @param kfpc
-   *          acutal value of the KFCP (key fault presentation counter) or less
-   *          than 0 if actual value is unknown
-   * 
-   * @return -1 if the PIN has been verifyed successfully, or else the new value
-   *         of the KFCP (key fault presentation counter)
-   * 
    * @throws CancelledException
    *           if the user canceld the operation
    * @throws javax.smartcardio.CardException
    * @throws at.gv.egiz.smcc.SignatureCardException
    */
-  int verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid, int kfpc)
+  protected void verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid)
       throws CardException, CancelledException, SignatureCardException {
 
-    CardChannel channel = getCardChannel();
-
-    // get PIN
-    String pin = pinProvider.providePIN(spec, kfpc);
-    if (pin == null) {
-      // User canceld operation
-      // throw new CancelledException("User canceld PIN entry");
-      return -2;
-    }
-
-    byte[] asciiPIN = pin.getBytes(Charset.forName("ASCII"));
-    byte[] encodedPIN = new byte[8];
-    System.arraycopy(asciiPIN, 0, encodedPIN, 0, Math.min(asciiPIN.length,
-        encodedPIN.length));
-
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x20, 0x00,
-        kid, encodedPIN));
-    if (resp.getSW1() == (byte) 0x63 && resp.getSW2() >> 4 == (byte) 0xc) {
-      return resp.getSW2() & (byte) 0x0f;
-    } else if (resp.getSW() == 0x6983) {
-      // PIN blocked
-      throw new SignatureCardException(spec.getLocalizedName() + " blocked.");
-    } else if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("Failed to verify pin: SW="
-          + Integer.toHexString(resp.getSW()) + ".");
-    } else {
-      return -1;
-    }
-
+    int retries = -1;
+    do {
+      String pin = pinProvider.providePIN(spec, retries);
+      if (pin == null) {
+        // user canceled operation
+        throw new CancelledException("User canceled operation");
+      } 
+      retries = verifyPIN(pin, kid);
+    } while (retries > 0);
+      
   }
-
-  void mseSetDST(byte[] dst) throws CardException, SignatureCardException {
+    
+  void mseSetDST(int p1, int p2, byte[] dst) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x22, 0x81,
-        0xB6, dst));
+    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x22, p1,
+        p2, dst));
     if (resp.getSW() != 0x9000) {
       throw new SignatureCardException("MSE:SET DST failed: SW="
           + Integer.toHexString(resp.getSW()));
@@ -207,102 +347,30 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
       return resp.getData();
     }
   }
-
-  public byte[] getCertificate(KeyboxName keyboxName)
-      throws SignatureCardException {
-
-    if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
-      return readTLVFile(AID_SIG, EF_C_CH_DS, EF_C_CH_DS_MAX_SIZE);
-    } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
-      return readTLVFile(AID_DEC, EF_C_CH_EKEY, EF_C_CH_EKEY_MAX_SIZE);
-    } else {
-      throw new IllegalArgumentException("Keybox " + keyboxName
-          + " not supported.");
-    }
-
-  }
-
-  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
-      throws SignatureCardException {
-
-    if ("IdentityLink".equals(infobox)) {
-
-      PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString(
-          "inf.pin.name"));
-      try {
-        byte[] res = readTLVFilePIN(AID_DEC, EF_INFOBOX, KID_PIN_INF, provider,
-            spec, EF_INFOBOX_MAX_SIZE);
-        return res;
-      } catch (Exception e) {
-        throw new SecurityException(e);
-      }
-
+  
+  byte[] internalAuthenticate(byte[] hash) throws CardException, SignatureCardException {
+    byte[] digestInfo = new byte[] {
+        (byte) 0x30, (byte) 0x21, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x05, (byte) 0x2B, (byte) 0x0E, 
+        (byte) 0x03, (byte) 0x02, (byte) 0x1A, (byte) 0x05, (byte) 0x00, (byte) 0x04
+    };
+    
+    byte[] data = new byte[digestInfo.length + hash.length + 1];
+    
+    System.arraycopy(digestInfo, 0, data, 0, digestInfo.length);
+    data[digestInfo.length] = (byte) hash.length;
+    System.arraycopy(hash, 0, data, digestInfo.length + 1, hash.length);
+    
+    CardChannel channel = getCardChannel();
+    
+    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x88, 0x10, 0x00, data, 256));
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("INTERNAL AUTHENTICATE failed: SW=" + Integer.toHexString(resp.getSW()));
     } else {
-      throw new IllegalArgumentException("Infobox '" + infobox
-          + "' not supported.");
+      return resp.getData();
     }
-
   }
 
   public String toString() {
     return "a-sign premium";
   }
-
-  public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-      PINProvider provider) throws SignatureCardException {
-
-    if (hash.length != 20) {
-      throw new IllegalArgumentException("Hash value must be of length 20");
-    }
-
-    byte[] fid;
-    byte kid;
-    byte[] dst;
-    PINSpec spec;
-    if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
-      fid = DF_SIG;
-      kid = KID_PIN_SIG;
-      dst = DST_SIG;
-      spec = new PINSpec(6, 10, "[0-9]", getResourceBundle().getString(
-          "sig.pin.name"));
-
-    } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
-      fid = DF_DEC;
-      kid = KID_PIN_DEC;
-      dst = DST_DEC;
-      spec = new PINSpec(6, 10, "[0-9]", getResourceBundle().getString(
-          "dec.pin.name"));
-
-    } else {
-      throw new IllegalArgumentException("KeyboxName '" + keyboxName
-          + "' not supported.");
-    }
-
-    try {
-
-      // SELECT DF
-      selectFileFID(fid);
-      // VERIFY
-      int kfpc = -1;
-      while (true) {
-        kfpc = verifyPIN(provider, spec, kid, kfpc);
-        if (kfpc < -1) {
-          return null;
-        } else if (kfpc < 0) {
-          break;
-        }
-      }
-      // MSE: SET DST
-      mseSetDST(dst);
-      // PSO: HASH
-      psoHash(hash);
-      // PSO: COMPUTE DIGITAL SIGNATURE
-      byte[] rs = psoComputDigitalSiganture();
-
-      return rs;
-
-    } catch (CardException e) {
-      throw new SignatureCardException("Failed to create signature.", e);
-    }
-  }
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
index 77a3e2ea..cebc63fc 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
@@ -31,7 +31,6 @@ package at.gv.egiz.smcc;
 import java.nio.ByteBuffer;
 import java.util.Locale;
 import java.util.ResourceBundle;
-import java.util.logging.Logger;
 
 import javax.smartcardio.ATR;
 import javax.smartcardio.Card;
@@ -60,7 +59,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     this.resourceBundleName = resourceBundleName;
   }
 
-  String toString(byte[] b) {
+  protected String toString(byte[] b) {
     StringBuffer sb = new StringBuffer();
     if (b != null && b.length > 0) {
       sb.append(Integer.toHexString((b[0] & 240) >> 4));
@@ -74,13 +73,46 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     return sb.toString();
   }
 
-  abstract byte[] selectFileAID(byte[] fid) throws CardException,
+  protected abstract byte[] selectFileAID(byte[] fid) throws CardException,
       SignatureCardException;
 
-  abstract byte[] selectFileFID(byte[] fid) throws CardException,
+  protected abstract ResponseAPDU selectFileFID(byte[] fid) throws CardException,
       SignatureCardException;
 
-  byte[] readBinary(CardChannel channel, int offset, int len)
+  /**
+   * VERIFY PIN
+   * 
+   * <p>
+   * Implementations of this method should call
+   * {@link PINProvider#providePIN(PINSpec, int)} to retrieve the PIN entered by
+   * the user and VERIFY PIN on the smart card until the PIN has been
+   * successfully verified.
+   * </p>
+   * 
+   * @param pinProvider
+   *          the PINProvider
+   * @param spec
+   *          the PINSpec
+   * @param kid
+   *          the key ID (KID) of the PIN to verify
+   * 
+   * @throws CardException
+   *           if smart card communication fails
+   * 
+   * @throws CancelledException
+   *           if the PINProvider indicated that the user canceled the PIN entry
+   * @throws NotActivatedException
+   *           if the card application has not been activated
+   * @throws LockedException
+   *           if the card application is locked
+   * 
+   * @throws SignatureCardException
+   *           if VERIFY PIN fails
+   */
+  protected abstract void verifyPIN(PINProvider pinProvider, PINSpec spec,
+      byte kid) throws CardException, SignatureCardException;
+
+  protected byte[] readBinary(CardChannel channel, int offset, int len)
       throws CardException, SignatureCardException {
 
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xB0,
@@ -94,7 +126,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
 
   }
 
-  int readBinary(int offset, int len, byte[] b) throws CardException,
+  protected int readBinary(int offset, int len, byte[] b) throws CardException,
       SignatureCardException {
 
     if (b.length < len) {
@@ -114,7 +146,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
 
   }
 
-  byte[] readBinaryTLV(int maxSize, byte expectedType) throws CardException,
+  protected byte[] readBinaryTLV(int maxSize, byte expectedType) throws CardException,
       SignatureCardException {
 
     CardChannel channel = getCardChannel();
@@ -150,15 +182,38 @@ public abstract class AbstractSignatureCard implements SignatureCard {
 
   }
 
-  abstract int verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid,
-      int kfpc) throws CardException, SignatureCardException;
-
-  public byte[] readTLVFile(byte[] aid, byte[] ef, int maxLength)
+  /**
+   * Read the content of a TLV file.
+   * 
+   * @param aid the application ID (AID)
+   * @param ef the elementary file (EF)
+   * @param maxLength the maximum length of the file
+   * 
+   * @return the content of the file
+   * 
+   * @throws SignatureCardException
+   */
+  protected byte[] readTLVFile(byte[] aid, byte[] ef, int maxLength)
       throws SignatureCardException {
     return readTLVFilePIN(aid, ef, (byte) 0, null, null, maxLength);
   }
 
-  public byte[] readTLVFilePIN(byte[] aid, byte[] ef, byte kid,
+  
+  /**
+   * Read the content of a TLV file wich may require a PIN.
+   * 
+   * @param aid the application ID (AID)
+   * @param ef the elementary file (EF)
+   * @param kid the key ID (KID) of the corresponding PIN
+   * @param provider the PINProvider
+   * @param spec the PINSpec
+   * @param maxLength the maximum length of the file
+   * 
+   * @return the content of the file
+   * 
+   * @throws SignatureCardException
+   */
+  protected byte[] readTLVFilePIN(byte[] aid, byte[] ef, byte kid,
       PINProvider provider, PINSpec spec, int maxLength)
       throws SignatureCardException {
 
@@ -179,33 +234,38 @@ public abstract class AbstractSignatureCard implements SignatureCard {
       }
 
       // SELECT FILE (EF)
-      rb = selectFileFID(ef);
-      if (rb[rb.length - 2] != (byte) 0x90 || rb[rb.length - 1] != (byte) 0x00) {
+      ResponseAPDU resp = selectFileFID(ef);
+      if (resp.getSW() == 0x6a82) {
+        
+        // EF not found
+        throw new FileNotFoundException("EF " + toString(ef) + " not found.");
+        
+      } else if (resp.getSW() != 0x9000) {
 
         throw new SignatureCardException("SELECT FILE with "
             + "FID="
             + toString(ef)
             + " failed ("
             + "SW="
-            + Integer.toHexString((0xFF & (int) rb[rb.length - 1])
-                | (0xFF & (int) rb[rb.length - 2]) << 8) + ").");
+            + Integer.toHexString(resp.getSW()) + ").");
+        
       }
 
       // try to READ BINARY
-      int sw = readBinary(0, 1, new byte[1]);
+      byte[] b = new byte[1];
+      int sw = readBinary(0, 1, b);
+      
       if (provider != null && sw == 0x6982) {
 
         // VERIFY
-        int kfpc = -1; // unknown
-        while (true) {
-          kfpc = verifyPIN(provider, spec, kid, kfpc);
-          if (kfpc < -1) {
-            return null;
-          } else if (kfpc < 0) {
-            break;
-          }
+        verifyPIN(provider, spec, kid);
+        
+      } else if (sw == 0x9000) {
+        // not expected type
+        if (b[0] != 0x30) {
+          throw new NotActivatedException();
         }
-      } else if (sw != 0x9000) {
+      } else {
         throw new SignatureCardException("READ BINARY failed (SW="
             + Integer.toHexString(sw) + ").");
       }
@@ -221,17 +281,56 @@ public abstract class AbstractSignatureCard implements SignatureCard {
 
   }
 
-  ResponseAPDU transmit(CardChannel channel, CommandAPDU commandAPDU)
+  /**
+   * Transmit the given command APDU using the given card channel.
+   * 
+   * @param channel
+   *          the card channel
+   * @param commandAPDU
+   *          the command APDU
+   * @param logData
+   *          <code>true</code> if command APDU data may be logged, or
+   *          <code>false</code> otherwise
+   * 
+   * @return the corresponding response APDU
+   * 
+   * @throws CardException
+   *           if smart card communication fails
+   */
+  protected ResponseAPDU transmit(CardChannel channel, CommandAPDU commandAPDU, boolean logData)
+      throws CardException {
+    
+    if (log.isTraceEnabled()) {
+      log.trace(commandAPDU 
+          + (logData ? "\n" + toString(commandAPDU.getBytes()) : ""));
+      long t0 = System.currentTimeMillis();
+      ResponseAPDU responseAPDU = channel.transmit(commandAPDU);
+      long t1 = System.currentTimeMillis();
+      log.trace(responseAPDU + "\n[" + (t1 - t0) + "ms] "
+          + (logData ? "\n" + toString(responseAPDU.getBytes()) : ""));
+      return responseAPDU;
+    } else {
+      return channel.transmit(commandAPDU);
+    }
+    
+  }
+
+  /**
+   * Transmit the given command APDU using the given card channel.
+   * 
+   * @param channel the card channel
+   * @param commandAPDU the command APDU
+   * 
+   * @return the corresponding response APDU
+   * 
+   * @throws CardException if smart card communication fails
+   */
+  protected ResponseAPDU transmit(CardChannel channel, CommandAPDU commandAPDU)
       throws CardException {
-    log.trace(commandAPDU + "\n" + toString(commandAPDU.getBytes()));
-    long t0 = System.currentTimeMillis();
-    ResponseAPDU responseAPDU = channel.transmit(commandAPDU);
-    long t1 = System.currentTimeMillis();
-    log.trace(responseAPDU + "\n[" + (t1 - t0) + "ms] "
-        + toString(responseAPDU.getBytes()));
-    return responseAPDU;
+    return transmit(channel, commandAPDU, true);
   }
 
+  
   public void init(Card card) {
     card_ = card;
     ATR atr = card.getATR();
@@ -242,7 +341,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     }
   }
 
-  CardChannel getCardChannel() {
+  protected CardChannel getCardChannel() {
     return card_.getBasicChannel();
   }
 
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/FileNotFoundException.java b/smcc/src/main/java/at/gv/egiz/smcc/FileNotFoundException.java
new file mode 100644
index 00000000..f96611c2
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/FileNotFoundException.java
@@ -0,0 +1,38 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class FileNotFoundException extends SignatureCardException {
+
+  private static final long serialVersionUID = 1L;
+
+  public FileNotFoundException() {
+  }
+
+  public FileNotFoundException(String message, Throwable cause) {
+    super(message, cause);
+  }
+
+  public FileNotFoundException(String message) {
+    super(message);
+  }
+
+  public FileNotFoundException(Throwable cause) {
+    super(cause);
+  }
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/LockedException.java b/smcc/src/main/java/at/gv/egiz/smcc/LockedException.java
new file mode 100644
index 00000000..e00322a0
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/LockedException.java
@@ -0,0 +1,38 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class LockedException extends SignatureCardException {
+
+  private static final long serialVersionUID = 1L;
+
+  public LockedException() {
+  }
+
+  public LockedException(String message, Throwable cause) {
+    super(message, cause);
+  }
+
+  public LockedException(String message) {
+    super(message);
+  }
+
+  public LockedException(Throwable cause) {
+    super(cause);
+  }
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/NotActivatedException.java b/smcc/src/main/java/at/gv/egiz/smcc/NotActivatedException.java
new file mode 100644
index 00000000..9181fc5f
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/NotActivatedException.java
@@ -0,0 +1,44 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+/**
+ * This exception is thrown upon a call to a function that
+ * has not been activated (e.g. not yet activated citizen card). 
+ */
+public class NotActivatedException extends SignatureCardException {
+
+  private static final long serialVersionUID = 1L;
+
+  public NotActivatedException() {
+    super();
+  }
+
+  public NotActivatedException(String message, Throwable cause) {
+    super(message, cause);
+  }
+
+  public NotActivatedException(String message) {
+    super(message);
+  }
+
+  public NotActivatedException(Throwable cause) {
+    super(cause);
+  }
+
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index 79e2663e..99acbc0f 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -31,12 +31,21 @@ package at.gv.egiz.smcc;
 import java.math.BigInteger;
 import java.util.Arrays;
 
+import javax.smartcardio.Card;
 import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
 import javax.smartcardio.CommandAPDU;
 import javax.smartcardio.ResponseAPDU;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 public class STARCOSCard extends AbstractSignatureCard implements SignatureCard {
+  
+  /**
+   * Logging facility.
+   */
+  private static Log log = LogFactory.getLog(STARCOSCard.class);
 
   public static final byte[] MF = new byte[] { (byte) 0x3F, (byte) 0x00 };
 
@@ -83,7 +92,7 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
 
   public static final byte KID_PIN_SS = (byte) 0x81;
 
-  // Gew�hnliche Signatur (GS)
+  // Gewöhnliche Signatur (GS)
 
   public static final byte[] AID_DF_GS = new byte[] { (byte) 0xd0, (byte) 0x40,
       (byte) 0x00, (byte) 0x00, (byte) 0x17, (byte) 0x00, (byte) 0x13,
@@ -104,31 +113,157 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
       // .
       // )
       (byte) 0x80, (byte) 0x02, (byte) 0x00, // local, key ID, key version
-      (byte) 0x89, (byte) 0x01, // tag, length (algorithm ID)
-      (byte) 0x14 // ECDSA
+      (byte) 0x89, (byte) 0x03, // tag, length (algorithm ID)
+      (byte) 0x13, (byte) 0x35, (byte) 0x10 // ECDSA
   };
 
   public static final byte KID_PIN_CARD = (byte) 0x01;
   
+  /**
+   * Creates an new instance.
+   */
   public STARCOSCard() {
     super("at/gv/egiz/smcc/STARCOSCard");
   }
  
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.SignatureCard#getCertificate(at.gv.egiz.smcc.SignatureCard.KeyboxName)
+   */
   public byte[] getCertificate(KeyboxName keyboxName)
       throws SignatureCardException {
 
+    byte[] aid;
+    byte[] efc;
     if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
-      return readTLVFile(AID_DF_SS, EF_C_X509_CH_DS, 2000);
+      aid = AID_DF_SS;
+      efc = EF_C_X509_CH_DS;
     } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
-      return readTLVFile(AID_DF_GS, EF_C_X509_CH_AUT, 2000);
+      aid = AID_DF_GS;
+      efc = EF_C_X509_CH_AUT;
     } else {
       throw new IllegalArgumentException("Keybox " + keyboxName
           + " not supported.");
     }
 
+    log.debug("Get certificate for keybox '" + keyboxName.getKeyboxName() + "'" +
+        " (AID=" + toString(aid) + " EF=" + toString(efc) + ").");
+
+    try {
+      Card card = getCardChannel().getCard();
+      try {
+        card.beginExclusive();
+        return readTLVFile(aid, efc, 2000);
+      } catch (FileNotFoundException e) {
+        // if certificate is not present, 
+        // the citizen card application has not been activated
+        throw new NotActivatedException();
+      } finally {
+        card.endExclusive();
+      }
+    } catch (CardException e) {
+      throw new SignatureCardException("Failed to get exclusive card access.");
+    }
+    
+  }
+
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.SignatureCard#getInfobox(java.lang.String, at.gv.egiz.smcc.PINProvider, java.lang.String)
+   */
+  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+      throws SignatureCardException {
+  
+    if ("IdentityLink".equals(infobox)) {
+  
+      PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
+      
+      try {
+        Card card = getCardChannel().getCard();
+        try {
+          card.beginExclusive();
+          return readTLVFilePIN(AID_INFOBOX, EF_INFOBOX, KID_PIN_CARD,
+              provider, spec, 2000);
+        } catch (FileNotFoundException e) {
+          // if certificate is not present, 
+          // the citizen card application has not been activated
+          throw new NotActivatedException();
+        } finally {
+          card.endExclusive();
+        }
+      } catch (CardException e) {
+        throw new SignatureCardException("Failed to get exclusive card access.");
+      }
+      
+    } else {
+      throw new IllegalArgumentException("Infobox '" + infobox
+          + "' not supported.");
+    }
+  
+  }
+
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.SignatureCard#createSignature(byte[], at.gv.egiz.smcc.SignatureCard.KeyboxName, at.gv.egiz.smcc.PINProvider)
+   */
+  public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
+      PINProvider provider) throws SignatureCardException {
+  
+    if (hash.length != 20) {
+      throw new IllegalArgumentException("Hash value must be of length 20.");
+    }
+  
+    byte[] aid;
+    byte kid;
+    byte[] dst;
+    PINSpec spec;
+    if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
+      aid = AID_DF_SS;
+      kid = KID_PIN_SS;
+      dst = DST_SS;
+      spec = new PINSpec(6, 10, "[0-9]", getResourceBundle().getString("sig.pin.name"));
+  
+    } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
+      aid = AID_DF_GS;
+      kid = KID_PIN_CARD;
+      dst = DST_GS;
+      spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
+  
+    } else {
+      throw new IllegalArgumentException("KeyboxName '" + keyboxName
+          + "' not supported.");
+    }
+  
+    try {
+      Card card = getCardChannel().getCard();
+      try {
+        card.beginExclusive();
+
+        // SELECT MF
+        selectMF();
+        // SELECT DF
+        selectFileAID(aid);
+        // VERIFY
+        verifyPIN(provider, spec, kid);
+        // MSE: SET DST
+        mseSetDST(dst);
+        // PSO: HASH
+        psoHash(hash);
+        // PSO: COMPUTE DIGITAL SIGNATURE
+        return psoComputDigitalSiganture();
+
+
+      } catch (FileNotFoundException e) {
+        // if certificate is not present, 
+        // the citizen card application has not been activated
+        throw new NotActivatedException();
+      } finally {
+        card.endExclusive();
+      }
+    } catch (CardException e) {
+      throw new SignatureCardException("Failed to get exclusive card access.");
+    }
+  
   }
 
-  byte[] selectFileAID(byte[] fid) throws CardException, SignatureCardException {
+  protected byte[] selectFileAID(byte[] fid) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x04,
         0x04, fid, 256));
@@ -150,16 +285,10 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
     }
   }
 
-  byte[] selectFileFID(byte[] fid) throws CardException, SignatureCardException {
+  protected ResponseAPDU selectFileFID(byte[] fid) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x02,
+    return transmit(channel, new CommandAPDU(0x00, 0xA4, 0x02,
         0x04, fid, 256));
-    if (resp.getSW() == 0x6a82) {
-      throw new SignatureCardException("Failed to select file (FID="
-          + toString(fid) + "): SW=" + Integer.toHexString(resp.getSW()) + ".");
-    } else {
-      return resp.getBytes();
-    }
   }
 
   void mseSetDST(byte[] dst) throws CardException, SignatureCardException {
@@ -201,134 +330,86 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
     }
   }
 
-  int verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid, int kfpc)
-      throws CardException, SignatureCardException {
-
+  /**
+   * VERIFY PIN
+   * <p>
+   * If <code>pin</code> is <code>null</code> only the PIN status is checked and
+   * returned.
+   * </p>
+   * 
+   * @param pin
+   *          the PIN (may be <code>null</code>)
+   * @param kid
+   *          the KID of the PIN to be verified
+   * 
+   * @return -1 if VERIFY PIN was successful, or the number of possible retries 
+   * 
+   * @throws CardException
+   *           if communication with the smart card fails.
+   * @throws NotActivatedException
+   *           if the card application has not been activated
+   * @throws SignatureCardException
+   *           if VERIFY PIN fails
+   */
+  private int verifyPIN(String pin, byte kid) throws CardException, SignatureCardException {
+    
     CardChannel channel = getCardChannel();
 
-    // get number of possible retries
-    ResponseAPDU resp = transmit(channel,
-        new CommandAPDU(0x00, 0x20, 0x00, kid));
-    int retries;
-    if (resp.getSW1() == 0x63 && resp.getSW2() >> 4 == 0xc) {
-      retries = resp.getSW2() & 0x0f;
-    } else if (resp.getSW() == 0x6984) {
-      // PIN LCS = "Initilized" (not activated)
-      throw new SignatureCardException(spec.getLocalizedName() + " not set.");
-    } else {
-      throw new SignatureCardException("Failed to get PIN retries: SW="
-          + Integer.toHexString(resp.getSW()));
-    }
-
-    // get PIN
-    String pin = pinProvider.providePIN(spec, retries);
+    ResponseAPDU resp;
     if (pin == null) {
-      // User canceled operation
-      // throw new CancelledException("User canceld PIN entry");
-      return -2;
-    }
-    // PIN length in bytes
-    int len = (int) Math.ceil(pin.length() / 2);
-
-    // BCD encode PIN and marshal PIN block
-    byte[] pinBytes = new BigInteger(pin, 16).toByteArray();
-    byte[] pinBlock = new byte[8];
-    if (len < pinBytes.length) {
-      System.arraycopy(pinBytes, pinBytes.length - len, pinBlock, 1, len);
+      resp = transmit(channel, new CommandAPDU(0x00, 0x20, 0x00, kid));
     } else {
-      System.arraycopy(pinBytes, 0, pinBlock, len - pinBytes.length + 1,
-          pinBytes.length);
+      // PIN length in bytes
+      int len = (int) Math.ceil(pin.length() / 2);
+
+      // BCD encode PIN and marshal PIN block
+      byte[] pinBytes = new BigInteger(pin, 16).toByteArray();
+      byte[] pinBlock = new byte[8];
+      if (len < pinBytes.length) {
+        System.arraycopy(pinBytes, pinBytes.length - len, pinBlock, 1, len);
+      } else {
+        System.arraycopy(pinBytes, 0, pinBlock, len - pinBytes.length + 1,
+            pinBytes.length);
+      }
+      pinBlock[0] = (byte) (0x20 + len * 2);
+      Arrays.fill(pinBlock, len + 1, 8, (byte) 0xff);
+
+      resp = transmit(channel, new CommandAPDU(0x00, 0x20, 0x00, kid, pinBlock), false);
+      
     }
-    pinBlock[0] = (byte) (0x20 + len * 2);
-    Arrays.fill(pinBlock, len + 1, 8, (byte) 0xff);
 
-    resp = transmit(channel, new CommandAPDU(0x00, 0x20, 0x00, kid, pinBlock));
-    if (resp.getSW1() == 0x63 && resp.getSW2() >> 4 == 0xc) {
+    if (resp.getSW() == 0x63c0) {
+      throw new LockedException("PIN locked.");
+    } else if (resp.getSW1() == 0x63 && resp.getSW2() >> 4 == 0xc) {
+      // return number of possible retries
       return resp.getSW2() & 0x0f;
-    } else if (resp.getSW() != 0x9000) {
+    } else if (resp.getSW() == 0x6984) {
+      // PIN LCS = "Initialized" (-> not activated)
+      throw new NotActivatedException("PIN not set.");
+    } else if (resp.getSW() == 0x9000) {
+      return -1; // success
+    } else {
       throw new SignatureCardException("Failed to verify pin: SW="
           + Integer.toHexString(resp.getSW()));
-    } else {
-      return -1;
-    }
-
-  }
-
-  public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-      PINProvider provider) throws SignatureCardException {
-
-    if (hash.length != 20) {
-      throw new IllegalArgumentException("Hash value must be of length 20");
-    }
-
-    byte[] aid;
-    byte kid;
-    byte[] dst;
-    PINSpec spec;
-    if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
-      aid = AID_DF_SS;
-      kid = KID_PIN_SS;
-      dst = DST_SS;
-      spec = new PINSpec(6, 10, "[0-9]", getResourceBundle().getString("sig.pin.name"));
-
-    } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
-      aid = AID_DF_GS;
-      kid = KID_PIN_CARD;
-      dst = DST_GS;
-      spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
-
-    } else {
-      throw new IllegalArgumentException("KeyboxName '" + keyboxName
-          + "' not supported.");
     }
-
-    try {
-
-      // SELECT MF
-      selectMF();
-      // SELECT DF
-      selectFileAID(aid);
-      // VERIFY
-      int retr = -1; // unknown
-      while (true) {
-        retr = verifyPIN(provider, spec, kid, retr);
-        if (retr < -1) {
-          return null;
-        } else if (retr < 0) {
-          break;
-        }
-      }
-      // MSE: SET DST
-      mseSetDST(dst);
-      // PSO: HASH
-      psoHash(hash);
-      // PSO: COMPUTE DIGITAL SIGNATURE
-      byte[] rs = psoComputDigitalSiganture();
-      return rs;
-
-    } catch (CardException e) {
-      throw new SignatureCardException("Failed to create signature.", e);
-    }
-
+    
   }
+  
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.AbstractSignatureCard#verifyPIN(at.gv.egiz.smcc.PINProvider, at.gv.egiz.smcc.PINSpec, byte, int)
+   */
+  protected void verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid)
+      throws CardException, SignatureCardException {
 
-  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
-      throws SignatureCardException {
-
-    if ("IdentityLink".equals(infobox)) {
-
-      PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
-      try {
-        byte[] res = readTLVFilePIN(AID_INFOBOX, EF_INFOBOX, KID_PIN_CARD,
-            provider, spec, 2000);
-        return res;
-      } catch (Exception e) {
-        throw new SignatureCardException(e);
+    int retries = verifyPIN(null, kid);
+    do {
+      String pin = pinProvider.providePIN(spec, retries);
+      if (pin == null) {
+        // user canceled operation
+        throw new CancelledException("User canceld operation.");
       }
-    } else {
-      throw new IllegalArgumentException("Infobox '" + infobox
-          + "' not supported.");
-    }
+      retries = verifyPIN(pin, kid);
+    } while (retries > 0);
 
   }
 
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
index 68a6f6df..22a66c3f 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
@@ -25,6 +25,8 @@ import java.io.ByteArrayOutputStream;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.charset.Charset;
 import java.security.InvalidKeyException;
 import java.security.Key;
 import java.security.KeyStore;
@@ -52,16 +54,20 @@ import org.apache.commons.logging.LogFactory;
  */
 public class SWCard implements SignatureCard {
   
-  private static final String BKU_USER_DIR = ".bku";
+  private static final String BKU_USER_DIR = ".mocca";
 
   private static final String SWCARD_DIR = "smcc";
   
   private static final String KEYSTORE_CERTIFIED_KEYPAIR = "certified.p12";
   
+  private static final String KEYSTORE_PASSWORD_CERTIFIED_KEYPAIR = "certified.pwd";
+  
   private static final String CERTIFICATE_CERTIFIED_KEYPAIR = "certified.cer";
   
   private static final String KEYSTORE_SECURE_KEYPAIR = "secure.p12";
   
+  private static final String KEYSTORE_PASSWORD_SECURE_KEYPAIR = "secure.pwd";
+
   private static final String CERTIFICATE_SECURE_KEYPAIR = "secure.cer";
   
   private static String swCardDir;
@@ -70,8 +76,12 @@ public class SWCard implements SignatureCard {
 
   private KeyStore certifiedKeyStore;
   
+  private String certifiedKeyStorePassword;
+  
   private KeyStore secureKeyStore;
   
+  private String secureKeyStorePassword;
+  
   private Certificate certifiedCertificate;
   
   private Certificate secureCertificate;
@@ -168,7 +178,7 @@ public class SWCard implements SignatureCard {
     }
     
     try {
-      keyStore.load(keyStoreFile, null);
+      keyStore.load(keyStoreFile, password);
     } catch (Exception e) {
       String msg = "Failed to load KeyStore from file '" + fileName + "'.";
       log.info(msg, e);
@@ -176,10 +186,33 @@ public class SWCard implements SignatureCard {
     } 
     
     return keyStore;
-
   
   }
   
+  private String loadKeyStorePassword(String passwordFileName) throws SignatureCardException {
+
+    String fileName = getFileName(passwordFileName);
+    FileInputStream keyStorePasswordFile;
+    try {
+      keyStorePasswordFile = new FileInputStream(fileName);
+    } catch (FileNotFoundException e) {
+      return null;
+    }
+    
+    try {
+      InputStreamReader reader = new InputStreamReader(keyStorePasswordFile, Charset.forName("UTF-8"));
+      StringBuilder sb = new StringBuilder();
+      char b[] = new char[16];
+      for (int l; (l = reader.read(b)) != -1;) {
+        sb.append(b, 0, l);
+      }
+      return sb.toString();
+    } catch (IOException e) {
+      throw new SignatureCardException("Failed to read file '" + passwordFileName + "'.");
+    }
+    
+  }
+  
   private KeyStore getKeyStore(KeyboxName keyboxName, char[] password) throws SignatureCardException {
     
     if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
@@ -198,6 +231,23 @@ public class SWCard implements SignatureCard {
     
   }
   
+  private String getPassword(KeyboxName keyboxName) throws SignatureCardException {
+    
+    if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
+      if (certifiedKeyStorePassword == null) {
+        certifiedKeyStorePassword = loadKeyStorePassword(KEYSTORE_PASSWORD_CERTIFIED_KEYPAIR);
+      }
+      return certifiedKeyStorePassword;
+    } else if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
+      if (secureKeyStorePassword == null) {
+        secureKeyStorePassword = loadKeyStorePassword(KEYSTORE_PASSWORD_SECURE_KEYPAIR);
+      }
+      return secureKeyStorePassword;
+    } else {
+      throw new SignatureCardException("Keybox of type '" + keyboxName + "' not supported.");
+    }
+    
+  }
   
   public byte[] getCertificate(KeyboxName keyboxName)
       throws SignatureCardException {
@@ -254,9 +304,21 @@ public class SWCard implements SignatureCard {
   public byte[] createSignature(byte[] hash, KeyboxName keyboxName, PINProvider provider) throws SignatureCardException {
 
     // KeyStore password
-    PINSpec pinSpec = new PINSpec(0, -1, ".", "KeyStore-Password");
-    
-    KeyStore keyStore = getKeyStore(keyboxName, null);
+    String password = getPassword(keyboxName);
+
+    if (password == null) {
+
+      PINSpec pinSpec = new PINSpec(0, -1, ".", "KeyStore-Password");
+      
+      password = provider.providePIN(pinSpec, -1);
+      
+      if (password == null) {
+        return null;
+      }
+      
+    }
+
+    KeyStore keyStore = getKeyStore(keyboxName, password.toCharArray());
 
     PrivateKey privateKey = null;
     
@@ -269,8 +331,7 @@ public class SWCard implements SignatureCard {
           Key key = null;
           while (key == null) {
             try {
-              String pin = provider.providePIN(pinSpec, -1);
-              key = keyStore.getKey(alias, pin.toCharArray());
+              key = keyStore.getKey(alias, password.toCharArray());
             } catch (UnrecoverableKeyException e) {
               log.info("Failed to get Key from KeyStore. Wrong password?", e);
             }
@@ -315,8 +376,6 @@ public class SWCard implements SignatureCard {
 
   @Override
   public void setLocale(Locale locale) {
-    // TODO Auto-generated method stub
-    throw new UnsupportedOperationException("Not supported yet.");
   }
 
   @Override
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardException.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardException.java
index f2a964fe..f296f3a2 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardException.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardException.java
@@ -34,7 +34,7 @@ public class SignatureCardException extends Exception {
    * 
    */
   private static final long serialVersionUID = 1L;
-
+  
   /**
    * Creates a new instance of this <code>SignatureCardException</code>.
    * 
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
index 2131a737..777299d9 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
@@ -28,19 +28,189 @@
 //
 package at.gv.egiz.smcc;
 
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
 import javax.smartcardio.ATR;
 import javax.smartcardio.Card;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * A factory for creating {@link SignatureCard}s from {@link Card}s. 
+ */
 public class SignatureCardFactory {
+  
+  /**
+   * This class represents a supported smart card. 
+   */
+  private class SupportedCard {
+    
+    /**
+     * The ATR pattern. 
+     */
+    private byte[] atrPattern;
+    
+    /**
+     * The ATR mask.
+     */
+    private byte[] atrMask;
+    
+    /**
+     * The implementation class.
+     */
+    private String impl;
 
-  public static SignatureCardFactory getInstance() {
-    return new SignatureCardFactory();
+    /**
+     * Creates a new SupportedCard instance with the given ATR pattern and mask
+     * und the corresponding implementation class.
+     * 
+     * @param atrPattern
+     *          the ATR pattern
+     * @param atrMask
+     *          the ATR mask
+     * @param implementationClass
+     *          the name of the implementation class
+     * 
+     * @throws NullPointerException
+     *           if <code>atrPattern</code> or <code>atrMask</code> is
+     *           <code>null</code>.
+     * @throws IllegalArgumentException
+     *           if the lengths of <code>atrPattern</code> and
+     *           <code>atrMask</code> of not equal.
+     */
+    public SupportedCard(byte[] atrPattern, byte[] atrMask, String implementationClass) {
+      if (atrPattern.length != atrMask.length) {
+        throw new IllegalArgumentException("Length of 'atr' and 'mask' must be equal.");
+      }
+      this.atrPattern = atrPattern;
+      this.atrMask = atrMask;
+      this.impl = implementationClass;
+    }
+
+    /**
+     * Returns true if the given ATR matches the ATR pattern and mask this
+     * SupportedCard object.
+     * 
+     * @param atr
+     *          the ATR
+     * 
+     * @return <code>true</code> if the given ATR matches the ATR pattern and
+     *         mask of this SupportedCard object, or <code>false</code>
+     *         otherwise.
+     */
+    public boolean matches(ATR atr) {
+
+      byte[] bytes = atr.getBytes();
+      if (bytes == null) {
+        return false;
+      }
+      if (bytes.length < atrMask.length) {
+        // we cannot test for equal length here, as we get ATRs with 
+        // additional bytes on systems using PCSClite (e.g. linux and OS X) sometimes
+        return false;
+      }
+
+      int l = Math.min(atrMask.length, bytes.length);
+      for (int i = 0; i < l; i++) {
+        if ((bytes[i] & atrMask[i]) != atrPattern[i]) {
+          return false;
+        }
+      }
+      return true;
+      
+    }
+
+    /**
+     * @return the corresponding implementation class.
+     */
+    public String getImplementationClassName() {
+      return impl;
+    }
+    
+  }
+
+  /**
+   * Logging facility.
+   */
+  private static Log log = LogFactory.getLog(SignatureCardFactory.class);
+  
+  /**
+   * The instance to be returned by {@link #getInstance()}.
+   */
+  private static SignatureCardFactory instance;
+  
+  /**
+   * The list of supported smart cards.
+   */
+  private List<SupportedCard> supportedCards;
+  
+  /**
+   * @return an instance of this SignatureCardFactory.
+   */
+  public static synchronized SignatureCardFactory getInstance() {
+    if (instance == null) {
+      instance = new SignatureCardFactory();
+    }
+    return instance;
   }
 
+  /**
+   * Private constructor.
+   */
   private SignatureCardFactory() {
+    
+    supportedCards = new ArrayList<SupportedCard>();
+
+    // e-card
+    supportedCards.add(new SupportedCard(
+        // ATR  (3b:bd:18:00:81:31:fe:45:80:51:02:00:00:00:00:00:00:00:00:00:00:00)
+        new byte[] {
+            (byte) 0x3b, (byte) 0xbd, (byte) 0x18, (byte) 0x00, (byte) 0x81, (byte) 0x31, (byte) 0xfe, (byte) 0x45, 
+            (byte) 0x80, (byte) 0x51, (byte) 0x02, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 
+        },
+        // mask (ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:00:00:00:00:00:00:00)
+        new byte[] {
+            (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, 
+            (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 
+        },
+        "at.gv.egiz.smcc.STARCOSCard"));
 
+    // a-sign premium
+    supportedCards.add(new SupportedCard(
+        // ATR  (3b:bf:11:00:81:31:fe:45:45:50:41:00:00:00:00:00:00:00:00:00:00:00:00:00)
+        new byte[] {
+            (byte) 0x3b, (byte) 0xbf, (byte) 0x11, (byte) 0x00, (byte) 0x81, (byte) 0x31, (byte) 0xfe, (byte) 0x45, 
+            (byte) 0x45, (byte) 0x50, (byte) 0x41, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 
+        },
+        // mask (ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:00:00:00:00:00:00:00:00:00)
+        new byte[] {
+            (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, 
+            (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00
+        },
+        "at.gv.egiz.smcc.ACOSCard"));
+    
   }
 
+  /**
+   * Creates a SignatureCard instance with the given smart card.
+   * 
+   * @param card
+   *          the smart card, or <code>null</code> if a software card should be
+   *          created
+   * 
+   * @return a SignatureCard instance
+   * 
+   * @throws CardNotSupportedException
+   *           if no implementation of the given <code>card</code> could be
+   *           found
+   */
   public SignatureCard createSignatureCard(Card card)
       throws CardNotSupportedException {
     
@@ -51,31 +221,34 @@ public class SignatureCardFactory {
     }
 
     ATR atr = card.getATR();
-    byte[] historicalBytes = atr.getHistoricalBytes();
-    if(historicalBytes == null || historicalBytes.length < 3) {
-      throw new CardNotSupportedException("Card not supported: ATR=" + toString(atr.getBytes()));
+    Iterator<SupportedCard> cards = supportedCards.iterator();
+    while (cards.hasNext()) {
+      SupportedCard supportedCard = cards.next();
+      if(supportedCard.matches(atr)) {
+        
+        ClassLoader cl = SignatureCardFactory.class.getClassLoader();
+        SignatureCard sc;
+        try {
+          Class<?> scClass = cl.loadClass(supportedCard.getImplementationClassName());
+          sc = (SignatureCard) scClass.newInstance();
+          sc.init(card);
+          return sc;
+
+        } catch (ClassNotFoundException e) {
+          log.warn("Cannot find signature card implementation class.", e);
+          throw new CardNotSupportedException("Cannot find signature card implementation class.", e);
+        } catch (InstantiationException e) {
+          log.warn("Failed to instantiate signature card implementation.", e);
+          throw new CardNotSupportedException("Failed to instantiate signature card implementation.", e);
+        } catch (IllegalAccessException e) {
+          log.warn("Failed to instantiate signature card implementation.", e);
+          throw new CardNotSupportedException("Failed to instantiate signature card implementation.", e);
+        }
+        
+      }
     }
     
-    int t = ((0xFF & (int) historicalBytes[0]) << 16) + 
-      ((0xFF & (int) historicalBytes[1]) << 8) + 
-      (0xFF & (int) historicalBytes[2]);
-
-    SignatureCard sCard;
-    switch (t) {
-      case 0x455041 :
-      case 0x4D4341 :
-        sCard = new ACOSCard();
-        break;
-
-      case 0x805102 :
-        sCard = new STARCOSCard();
-        break;
-
-      default :
-        throw new CardNotSupportedException("Card not supported: ATR=" + toString(atr.getBytes()));
-    }
-    sCard.init(card);
-    return sCard;
+    throw new CardNotSupportedException("Card not supported: ATR=" + toString(atr.getBytes()));
     
   }
   
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/util/SmartCardIO.java b/smcc/src/main/java/at/gv/egiz/smcc/util/SmartCardIO.java
index ffffd3af..b70b44a7 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/util/SmartCardIO.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/util/SmartCardIO.java
@@ -142,7 +142,8 @@ public class SmartCardIO {
       for (CardTerminal terminal : cardTerminals_.list(CardTerminals.State.CARD_INSERTION)) {
 
         Card card = null;
-        try {
+        try {
+          log.trace("Trying to connect to card.");
           // try to connect to card
           card = terminal.connect("*");
         } catch (CardException e) {
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
new file mode 100644
index 00000000..b921a5d5
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
@@ -0,0 +1,92 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Locale;
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.SignatureCard.KeyboxName;
+import at.gv.egiz.smcc.util.SMCCHelper;
+
+public class STARCOSCardTest {
+
+  /**
+   * @param args
+   * @throws CardException 
+   * @throws NoSuchAlgorithmException 
+   */
+  public static void main(String[] args) throws CardException, NoSuchAlgorithmException {
+    
+    SMCCHelper helper = new SMCCHelper();
+    while (helper.getResultCode() != SMCCHelper.CARD_FOUND) {
+      System.out.println("Did not get a signature card ... " + helper.getResultCode());
+      helper.update();
+      try {
+        Thread.sleep(1000);
+      } catch (InterruptedException e) {
+        e.printStackTrace();
+      }
+    }
+    
+    SignatureCard signatureCard = helper.getSignatureCard(Locale.getDefault());
+    
+    System.out.println("Found '" + signatureCard + "'.");
+    
+    try {
+//      signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
+//      signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
+//      signatureCard.getInfobox("IdentityLink", new CommandLinePINProvider(), null);
+      MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
+      byte[] digest = messageDigest.digest("test".getBytes());
+      signatureCard.createSignature(digest, KeyboxName.CERITIFIED_KEYPAIR, new CommandLinePINProvider());
+    } catch (SignatureCardException e) {
+      e.printStackTrace();
+    }
+
+  }
+  
+  private static class CommandLinePINProvider implements PINProvider {
+
+    @Override
+    public String providePIN(PINSpec spec, int retries) {
+      
+      InputStreamReader inputStreamReader = new InputStreamReader(System.in);
+      BufferedReader in = new BufferedReader(inputStreamReader);
+      
+      System.out.print("Enter " + spec.getLocalizedName() + " ["
+          + spec.getMinLength() + "-" + spec.getMaxLength() + "] (" + retries
+          + " retries):");
+      
+      try {
+        return in.readLine();
+      } catch (IOException e) {
+        return null;
+      }
+      
+    }
+    
+  }
+
+}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
index b48d6d50..cfac8cf5 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
@@ -20,6 +20,8 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.LockedException;
+import at.gv.egiz.smcc.NotActivatedException;
 import at.gv.egiz.smcc.PINProvider;
 import at.gv.egiz.smcc.PINSpec;
 import at.gv.egiz.smcc.SignatureCard;
@@ -100,6 +102,12 @@ public class InfoBoxReadRequestHandler extends AbstractRequestHandler implements
           stalResp.setInfoboxValue(resp);
           return stalResp;
         }
+      } catch (NotActivatedException e) {
+        log.info("Citizen card not activated.", e);
+        return new ErrorResponse(6001);
+      } catch (LockedException e) {
+        log.info("Citizen card locked.", e);
+        return new ErrorResponse(6001);
       } catch (CancelledException cx) {
         log.debug("User cancelled request", cx);
         return new ErrorResponse(6001);
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
index dcd12b02..466ec2a9 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
@@ -32,6 +32,8 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.LockedException;
+import at.gv.egiz.smcc.NotActivatedException;
 import at.gv.egiz.smcc.PINProvider;
 import at.gv.egiz.smcc.PINSpec;
 import at.gv.egiz.smcc.SignatureCard;
@@ -78,7 +80,7 @@ public abstract class SignRequestHandler extends AbstractRequestHandler implemen
                 String jceName = JCEAlgorithmNames.getJCEHashName(signatureMethod);
                 if (jceName == null) {
                     log.error("Hash algorithm not supported:");
-                    return new ErrorResponse(1000);
+                    return new ErrorResponse(4006);
                 }
                 MessageDigest md = MessageDigest.getInstance(jceName);
                 md.update(signReq.getSignedInfo());
@@ -90,6 +92,12 @@ public abstract class SignRequestHandler extends AbstractRequestHandler implemen
                 SignResponse stalResp = new SignResponse();
                 stalResp.setSignatureValue(resp);
                 return stalResp;
+            } catch (NotActivatedException e) {
+              log.info("Citizen card not activated.", e);
+              return new ErrorResponse(6001);
+            } catch (LockedException e) {
+              log.info("Citizen card locked.", e);
+              return new ErrorResponse(6001);
             } catch (CancelledException cx) {
                 log.debug("User cancelled request");
                 return new ErrorResponse(6001);
-- 
cgit v1.2.3


From e4a47aa9393d74647f4f0c66b54dc4519fed492f Mon Sep 17 00:00:00 2001
From: clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Tue, 11 Nov 2008 12:16:00 +0000
Subject: Interrupt in waitForAction (applet closed)

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@162 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java   | 12 ++-
 .../at/gv/egiz/smcc/AbstractSignatureCard.java     |  6 +-
 .../src/main/java/at/gv/egiz/smcc/PINProvider.java |  2 +-
 .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java | 10 ++-
 smcc/src/main/java/at/gv/egiz/smcc/SWCard.java     |  3 +-
 .../main/java/at/gv/egiz/smcc/SignatureCard.java   | 17 +++-
 .../test/java/at/gv/egiz/smcc/STARCOSCardTest.java |  2 +-
 smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java | 94 +++++++++++-----------
 .../egiz/bku/smccstal/AbstractRequestHandler.java  |  9 ++-
 .../at/gv/egiz/bku/smccstal/AbstractSMCCSTAL.java  | 28 +++++--
 .../bku/smccstal/InfoBoxReadRequestHandler.java    |  4 +-
 .../egiz/bku/smccstal/SMCCSTALRequestHandler.java  |  2 +-
 .../gv/egiz/bku/smccstal/SignRequestHandler.java   |  4 +-
 13 files changed, 113 insertions(+), 80 deletions(-)

(limited to 'smcc/src/test/java')

diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
index 9e56701f..2baff834 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
@@ -106,8 +106,9 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
   /* (non-Javadoc)
    * @see at.gv.egiz.smcc.SignatureCard#getCertificate(at.gv.egiz.smcc.SignatureCard.KeyboxName)
    */
+  @Override
   public byte[] getCertificate(KeyboxName keyboxName)
-      throws SignatureCardException {
+      throws SignatureCardException, InterruptedException {
   
     byte[] aid;
     byte[] efc;
@@ -150,8 +151,9 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
   /* (non-Javadoc)
    * @see at.gv.egiz.smcc.SignatureCard#getInfobox(java.lang.String, at.gv.egiz.smcc.PINProvider, java.lang.String)
    */
+  @Override
   public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
-      throws SignatureCardException {
+      throws SignatureCardException, InterruptedException {
   
     if ("IdentityLink".equals(infobox)) {
   
@@ -181,8 +183,9 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
   
   }
 
+  @Override
   public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-      PINProvider provider) throws SignatureCardException {
+      PINProvider provider) throws SignatureCardException, InterruptedException {
   
     if (hash.length != 20) {
       throw new IllegalArgumentException("Hash value must be of length 20.");
@@ -299,8 +302,9 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
    * @throws javax.smartcardio.CardException
    * @throws at.gv.egiz.smcc.SignatureCardException
    */
+  @Override
   protected void verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid)
-      throws CardException, CancelledException, SignatureCardException {
+      throws CardException, CancelledException, SignatureCardException, InterruptedException {
 
     int retries = -1;
     do {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
index cebc63fc..b828e8cd 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
@@ -110,7 +110,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
    *           if VERIFY PIN fails
    */
   protected abstract void verifyPIN(PINProvider pinProvider, PINSpec spec,
-      byte kid) throws CardException, SignatureCardException;
+      byte kid) throws CardException, SignatureCardException, InterruptedException;
 
   protected byte[] readBinary(CardChannel channel, int offset, int len)
       throws CardException, SignatureCardException {
@@ -194,7 +194,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
    * @throws SignatureCardException
    */
   protected byte[] readTLVFile(byte[] aid, byte[] ef, int maxLength)
-      throws SignatureCardException {
+      throws SignatureCardException, InterruptedException {
     return readTLVFilePIN(aid, ef, (byte) 0, null, null, maxLength);
   }
 
@@ -215,7 +215,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
    */
   protected byte[] readTLVFilePIN(byte[] aid, byte[] ef, byte kid,
       PINProvider provider, PINSpec spec, int maxLength)
-      throws SignatureCardException {
+      throws SignatureCardException, InterruptedException {
 
     try {
 
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java b/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
index 844115a4..e0104618 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
@@ -30,6 +30,6 @@ package at.gv.egiz.smcc;
 
 public interface PINProvider {
   
-  public String providePIN(PINSpec spec, int retries);
+  public String providePIN(PINSpec spec, int retries) throws InterruptedException;
 
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index 99acbc0f..d6d02475 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -129,8 +129,9 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
   /* (non-Javadoc)
    * @see at.gv.egiz.smcc.SignatureCard#getCertificate(at.gv.egiz.smcc.SignatureCard.KeyboxName)
    */
+  @Override
   public byte[] getCertificate(KeyboxName keyboxName)
-      throws SignatureCardException {
+      throws SignatureCardException, InterruptedException {
 
     byte[] aid;
     byte[] efc;
@@ -169,8 +170,9 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
   /* (non-Javadoc)
    * @see at.gv.egiz.smcc.SignatureCard#getInfobox(java.lang.String, at.gv.egiz.smcc.PINProvider, java.lang.String)
    */
+  @Override
   public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
-      throws SignatureCardException {
+      throws SignatureCardException, InterruptedException {
   
     if ("IdentityLink".equals(infobox)) {
   
@@ -204,7 +206,7 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
    * @see at.gv.egiz.smcc.SignatureCard#createSignature(byte[], at.gv.egiz.smcc.SignatureCard.KeyboxName, at.gv.egiz.smcc.PINProvider)
    */
   public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-      PINProvider provider) throws SignatureCardException {
+      PINProvider provider) throws SignatureCardException, InterruptedException {
   
     if (hash.length != 20) {
       throw new IllegalArgumentException("Hash value must be of length 20.");
@@ -399,7 +401,7 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
    * @see at.gv.egiz.smcc.AbstractSignatureCard#verifyPIN(at.gv.egiz.smcc.PINProvider, at.gv.egiz.smcc.PINSpec, byte, int)
    */
   protected void verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid)
-      throws CardException, SignatureCardException {
+      throws CardException, SignatureCardException, InterruptedException {
 
     int retries = verifyPIN(null, kid);
     do {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
index 42a4be1b..42943541 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
@@ -297,7 +297,8 @@ public class SWCard implements SignatureCard {
     
   }
 
-  public byte[] createSignature(byte[] hash, KeyboxName keyboxName, PINProvider provider) throws SignatureCardException {
+  @Override
+  public byte[] createSignature(byte[] hash, KeyboxName keyboxName, PINProvider provider) throws SignatureCardException, InterruptedException {
 
     // KeyStore password
     String password = getPassword(keyboxName);
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
index 37bd7cf9..b6a453df 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
@@ -57,6 +57,7 @@ public interface SignatureCard {
       }
     }
 
+    @Override
     public boolean equals(Object obj) {
       if (obj instanceof String) {
         return obj.equals(keyboxName_);
@@ -77,7 +78,7 @@ public interface SignatureCard {
   public void init(Card card);
 
   public byte[] getCertificate(KeyboxName keyboxName)
-      throws SignatureCardException;
+      throws SignatureCardException, InterruptedException;
   
   public void disconnect(boolean reset);
 
@@ -88,12 +89,22 @@ public interface SignatureCard {
    * @param domainId may be null.
    * @return
    * @throws SignatureCardException
+   * @throws InterruptedException if applet is destroyed while in pin dialog
    */
   public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
-      throws SignatureCardException;
+      throws SignatureCardException, InterruptedException;
 
+  /**
+   * 
+   * @param hash
+   * @param keyboxName
+   * @param provider
+   * @return
+   * @throws at.gv.egiz.smcc.SignatureCardException
+   * @throws java.lang.InterruptedException if applet is destroyed while in pin dialog
+   */
   public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-      PINProvider provider) throws SignatureCardException;
+      PINProvider provider) throws SignatureCardException, InterruptedException;
   
   /**
    * Sets the local for evtl. required callbacks (e.g. PINSpec)
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
index b921a5d5..13210540 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
@@ -37,7 +37,7 @@ public class STARCOSCardTest {
    * @throws CardException 
    * @throws NoSuchAlgorithmException 
    */
-  public static void main(String[] args) throws CardException, NoSuchAlgorithmException {
+  public static void main(String[] args) throws CardException, NoSuchAlgorithmException, InterruptedException {
     
     SMCCHelper helper = new SMCCHelper();
     while (helper.getResultCode() != SMCCHelper.CARD_FOUND) {
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
index 5448fee2..38126a67 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
@@ -14,50 +14,50 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-package at.gv.egiz.smcc;
-
-import java.math.BigInteger;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-
-import at.gv.egiz.smcc.SignatureCard.KeyboxName;
-
-public class SWCardTest implements PINProvider {
-
-  SWCard swCard = new SWCard();
-  
-  public static void main(String[] args) throws Exception {
-    
-    SWCardTest swCardTest = new SWCardTest();
-    swCardTest.test();
-    
-  }
-  
-  public void test() throws SignatureCardException, NoSuchAlgorithmException {
-    
-    swCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
-    swCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
-    
-    BigInteger t = BigInteger.valueOf(System.currentTimeMillis());
-
-    MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
-    byte[] hash = messageDigest.digest(t.toByteArray());
-    
-    byte[] signature; 
-    signature = swCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR, this);
-    System.out.println(SignatureCardFactory.toString(signature));
-
-    signature = swCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR, this);
-    System.out.println(SignatureCardFactory.toString(signature));
-    
-    byte[] infobox = swCard.getInfobox("IdentityLink", this, null);
-    System.out.println(SignatureCardFactory.toString(infobox));
-
-  }
-
-  @Override
-  public String providePIN(PINSpec spec, int retries) {
-    return "buerger";
-  }
-  
-}
+package at.gv.egiz.smcc;
+
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import at.gv.egiz.smcc.SignatureCard.KeyboxName;
+
+public class SWCardTest implements PINProvider {
+
+  SWCard swCard = new SWCard();
+  
+  public static void main(String[] args) throws Exception {
+    
+    SWCardTest swCardTest = new SWCardTest();
+    swCardTest.test();
+    
+  }
+  
+  public void test() throws SignatureCardException, NoSuchAlgorithmException, InterruptedException {
+    
+    swCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
+    swCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
+    
+    BigInteger t = BigInteger.valueOf(System.currentTimeMillis());
+
+    MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
+    byte[] hash = messageDigest.digest(t.toByteArray());
+    
+    byte[] signature; 
+    signature = swCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR, this);
+    System.out.println(SignatureCardFactory.toString(signature));
+
+    signature = swCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR, this);
+    System.out.println(SignatureCardFactory.toString(signature));
+    
+    byte[] infobox = swCard.getInfobox("IdentityLink", this, null);
+    System.out.println(SignatureCardFactory.toString(infobox));
+
+  }
+
+  @Override
+  public String providePIN(PINSpec spec, int retries) {
+    return "buerger";
+  }
+  
+}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractRequestHandler.java
index 995e2b77..98b21f79 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractRequestHandler.java
@@ -39,8 +39,8 @@ public abstract class AbstractRequestHandler implements SMCCSTALRequestHandler,
   protected boolean actionPerformed = false;
 
   @Override
-  public abstract STALResponse handleRequest(STALRequest request);
-
+  public abstract STALResponse handleRequest(STALRequest request) throws InterruptedException;
+  
   @Override
   public void init(SignatureCard sc, BKUGUIFacade gui) {
     if ((sc == null) || (gui == null)) {
@@ -60,13 +60,14 @@ public abstract class AbstractRequestHandler implements SMCCSTALRequestHandler,
     }
   }
 
-  protected synchronized void waitForAction() {
+  protected synchronized void waitForAction() throws InterruptedException {
     try {
       while (!actionPerformed) {
         wait();
       }
     } catch (InterruptedException e) {
-      log.info(e);
+      log.error("interrupt in waitForAction");
+      throw e;
     }
     actionPerformed = false;
   }
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractSMCCSTAL.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractSMCCSTAL.java
index f310dd42..04d8d0dd 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractSMCCSTAL.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractSMCCSTAL.java
@@ -24,6 +24,8 @@ import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -34,6 +36,7 @@ import at.gv.egiz.stal.InfoboxReadRequest;
 import at.gv.egiz.stal.STAL;
 import at.gv.egiz.stal.STALRequest;
 import at.gv.egiz.stal.STALResponse;
+import java.util.Collections;
 
 public abstract class AbstractSMCCSTAL implements STAL {
   private static Log log = LogFactory.getLog(AbstractSMCCSTAL.class);
@@ -61,7 +64,7 @@ public abstract class AbstractSMCCSTAL implements STAL {
 
   protected abstract BKUGUIFacade getGUI();
 
-  private STALResponse getRespone(STALRequest request) {
+  private STALResponse getRespone(STALRequest request) throws InterruptedException {
     log.info("Processing: " + request.getClass());
     int retryCounter = 0;
     while (retryCounter < maxRetries) {
@@ -99,6 +102,9 @@ public abstract class AbstractSMCCSTAL implements STAL {
             log.info("Got null response from handler, assuming quit");
             return null;
           }
+        } catch (InterruptedException e) {
+          log.info("Interrupt in handleRequest, do not retry");
+          throw e;
         } catch (Exception e) {
           log.info("Error while handling STAL request:" + e);
           if (++retryCounter < maxRetries) {
@@ -125,14 +131,22 @@ public abstract class AbstractSMCCSTAL implements STAL {
         .size());
     for (STALRequest request : requestList) {
       log.info("Processing: " + request.getClass());
-      STALResponse response = getRespone(request);
-      if (response != null) {
-        responseList.add(response);
-        if (response instanceof ErrorResponse) {
-          log.info("Got an error response, don't process remaining requests");
-          break;
+      STALResponse response;
+      try {
+        response = getRespone(request);
+        if (response != null) {
+          responseList.add(response);
+          if (response instanceof ErrorResponse) {
+            log.info("Got an error response, don't process remaining requests");
+            break;
+          }
         }
+      } catch (InterruptedException ex) {
+        log.error("got interrupted, return ErrorResponse 6001");
+        responseList = Collections.singletonList((STALResponse) new ErrorResponse(6001));
+        break;
       }
+      
     }
     return responseList;
   }
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
index cfc5c4bd..04f179e7 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
@@ -41,7 +41,7 @@ public class InfoBoxReadRequestHandler extends AbstractRequestHandler implements
   private int retryCounter = 0;
 
   @Override
-  public STALResponse handleRequest(STALRequest request) {
+  public STALResponse handleRequest(STALRequest request) throws InterruptedException {
     if (request instanceof InfoboxReadRequest) {
       InfoboxReadRequest infoBox = (InfoboxReadRequest) request;
       try {
@@ -134,7 +134,7 @@ public class InfoBoxReadRequestHandler extends AbstractRequestHandler implements
   }
 
   @Override
-  public String providePIN(PINSpec spec, int retries) {
+  public String providePIN(PINSpec spec, int retries) throws InterruptedException {
     if (retryCounter++ > 0) {
       log.info("PIN wrong retrying ...");
       gui.showCardPINRetryDialog(spec, retries, this, "ok", this, "cancel");
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SMCCSTALRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SMCCSTALRequestHandler.java
index 94ab7a5b..f19b3ef3 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SMCCSTALRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SMCCSTALRequestHandler.java
@@ -26,7 +26,7 @@ public interface SMCCSTALRequestHandler {
   
   public void init(SignatureCard sc, BKUGUIFacade gui);
   
-  public STALResponse handleRequest(STALRequest request);
+  public STALResponse handleRequest(STALRequest request) throws InterruptedException;
   
   public boolean requireCard();
   
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
index dbc70bff..6c30a68a 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
@@ -67,7 +67,7 @@ public abstract class SignRequestHandler extends AbstractRequestHandler implemen
 
     @SuppressWarnings("unchecked")
     @Override
-    public STALResponse handleRequest(STALRequest request) {
+    public STALResponse handleRequest(STALRequest request) throws InterruptedException {
         if (request instanceof SignRequest) {
             SignRequest signReq = (SignRequest) request;
             newSTALMessage("Message.RequestCaption", "Message.SignRequest");
@@ -213,7 +213,7 @@ public abstract class SignRequestHandler extends AbstractRequestHandler implemen
     }
   
     @Override
-    public String providePIN(PINSpec spec, int retries) {
+    public String providePIN(PINSpec spec, int retries) throws InterruptedException {
     
       showSignaturePINDialog(spec, retries);
       
-- 
cgit v1.2.3


From 887f6727479f3ae3d89a08ba619f9382b450e4c1 Mon Sep 17 00:00:00 2001
From: mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Fri, 12 Dec 2008 11:48:47 +0000
Subject: Updated SMCC to support non-blocking PIN entry. Added
 SV-Personendaten infobox implementation.

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@248 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../src/main/webapp/WEB-INF/applicationContext.xml |   3 +
 .../gv/egiz/bku/binding/DataUrlConnectionImpl.java |   1 +
 .../bku/binding/LegacyDataUrlConnectionImpl.java   |   3 +
 .../slcommands/impl/AbstractAssocArrayInfobox.java |  96 +++--
 .../impl/SVPersonendatenInfoboxImpl.java           | 323 +++++++++++++++++
 .../impl/SVPersonendatenInfoboxImplTest.java       | 147 ++++++++
 smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java   | 320 +++++++++--------
 .../at/gv/egiz/smcc/AbstractSignatureCard.java     | 214 +++++++-----
 .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java | 386 +++++++++++++--------
 .../smcc/SecurityStatusNotSatisfiedException.java  |  38 ++
 .../gv/egiz/smcc/VerificationFailedException.java  |  65 ++++
 .../test/java/at/gv/egiz/smcc/STARCOSCardTest.java |  40 ++-
 .../bku/smccstal/InfoBoxReadRequestHandler.java    |   3 +
 13 files changed, 1219 insertions(+), 420 deletions(-)
 create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImpl.java
 create mode 100644 bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImplTest.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/SecurityStatusNotSatisfiedException.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/VerificationFailedException.java

(limited to 'smcc/src/test/java')

diff --git a/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml b/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
index eb7d5b7a..2ddd46a1 100644
--- a/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/BKULocal/src/main/webapp/WEB-INF/applicationContext.xml
@@ -82,6 +82,9 @@
         <entry
           key="CardChannel"
           value="at.gv.egiz.bku.slcommands.impl.CardChannelInfoboxImpl" />
+        <entry
+          key="SV-Personendaten"
+          value="at.gv.egiz.bku.slcommands.impl.SVPersonendatenInfoboxImpl" />
       </map>
     </property>
   </bean>
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/DataUrlConnectionImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/DataUrlConnectionImpl.java
index 408330cc..57d89c89 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/DataUrlConnectionImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/DataUrlConnectionImpl.java
@@ -100,6 +100,7 @@ public class DataUrlConnectionImpl implements DataUrlConnectionSPI {
       }
       if (hostnameVerifier != null) {
         log.debug("Setting custom hostname verifier");
+        https.setHostnameVerifier(hostnameVerifier);
       }
     } else {
       log.trace("No secure connection with: "+url+ " class="+connection.getClass());
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/LegacyDataUrlConnectionImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/LegacyDataUrlConnectionImpl.java
index ef8034aa..452c45e5 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/LegacyDataUrlConnectionImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/LegacyDataUrlConnectionImpl.java
@@ -80,6 +80,7 @@ public class LegacyDataUrlConnectionImpl implements DataUrlConnectionSPI {
       }
       if (hostnameVerifier != null) {
         log.debug("Setting custom hostname verifier");
+        https.setHostnameVerifier(hostnameVerifier);
       }
     }
     connection.setDoOutput(true);
@@ -229,6 +230,8 @@ public class LegacyDataUrlConnectionImpl implements DataUrlConnectionSPI {
   public DataUrlConnectionSPI newInstance() {
     DataUrlConnectionSPI uc = new LegacyDataUrlConnectionImpl();
     uc.setConfiguration(config);
+    uc.setSSLSocketFactory(sslSocketFactory);
+    uc.setHostnameVerifier(hostnameVerifier);
     return uc;
   }
 
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/AbstractAssocArrayInfobox.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/AbstractAssocArrayInfobox.java
index e49ed6c0..e7f96c06 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/AbstractAssocArrayInfobox.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/AbstractAssocArrayInfobox.java
@@ -16,12 +16,17 @@
  */
 package at.gv.egiz.bku.slcommands.impl;
 
+import java.io.ByteArrayOutputStream;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.regex.Pattern;
 
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Marshaller;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -36,6 +41,7 @@ import at.buergerkarte.namespaces.securitylayer._1.InfoboxReadParamsAssocArrayTy
 import at.buergerkarte.namespaces.securitylayer._1.InfoboxReadParamsAssocArrayType.ReadValue;
 import at.gv.egiz.bku.slcommands.InfoboxReadResult;
 import at.gv.egiz.bku.slcommands.SLCommandContext;
+import at.gv.egiz.bku.slcommands.SLCommandFactory;
 import at.gv.egiz.bku.slexceptions.SLCommandException;
 
 /**
@@ -54,7 +60,7 @@ public abstract class AbstractAssocArrayInfobox extends AbstractInfoboxImpl
   /**
    * The search string pattern.
    */
-  public static final String SEARCH_STRING_PATTERN = ".&&[^/](/.&&[^/])*";
+  public static final String SEARCH_STRING_PATTERN = "(.&&[^/])+(/.&&[^/])*";
   
   /**
    * @return the keys available in this infobox.
@@ -93,6 +99,11 @@ public abstract class AbstractAssocArrayInfobox extends AbstractInfoboxImpl
       return Arrays.asList(getKeys());
     }
     
+    if (!searchString.contains("*")) {
+      Arrays.asList(getKeys()).contains(searchString);
+      return Collections.singletonList(searchString);
+    }
+    
     if (Pattern.matches(SEARCH_STRING_PATTERN, searchString)) {
       
 //      for (int i = 0; i < searchString.length(); i++) {
@@ -160,15 +171,10 @@ public abstract class AbstractAssocArrayInfobox extends AbstractInfoboxImpl
   protected InfoboxReadResult readPairs(ReadPairs readPairs, SLCommandContext cmdCtx) throws SLCommandException {
     
     if (readPairs.isValuesAreXMLEntities() && !isValuesAreXMLEntities()) {
-      log.info("Got valuesAreXMLEntities=" + readPairs + " but infobox type is binary.");
+      log.info("Got valuesAreXMLEntities=" + readPairs.isValuesAreXMLEntities() + " but infobox type is binary.");
       throw new SLCommandException(4010);
     }
     
-    if (!readPairs.isValuesAreXMLEntities() && isValuesAreXMLEntities()) {
-      log.info("Got valuesAreXMLEntities=" + readPairs + " but infobox type is XML.");
-      throw new SLCommandException(4010);
-    }
-
     List<String> selectedKeys = selectKeys(readPairs.getSearchString());
     
     if (readPairs.isUserMakesUnique() && selectedKeys.size() > 1) {
@@ -177,26 +183,10 @@ public abstract class AbstractAssocArrayInfobox extends AbstractInfoboxImpl
       throw new SLCommandException(4010);
     }
     
-    ObjectFactory objectFactory = new ObjectFactory();
-
-    InfoboxReadDataAssocArrayType infoboxReadDataAssocArrayType = objectFactory.createInfoboxReadDataAssocArrayType();
-
-    Map<String, Object> values = getValues(selectedKeys, cmdCtx);
-    for (String key : selectedKeys) {
-      InfoboxAssocArrayPairType infoboxAssocArrayPairType = objectFactory.createInfoboxAssocArrayPairType();
-      infoboxAssocArrayPairType.setKey(key);
-      Object value = values.get(key);
-      if (value instanceof byte[]) {
-        infoboxAssocArrayPairType.setBase64Content((byte[]) value);
-      } else {
-        infoboxAssocArrayPairType.setXMLContent((XMLContentType) value);
-      }
-      infoboxReadDataAssocArrayType.getPair().add(infoboxAssocArrayPairType);
-    }
-    
-    return new InfoboxReadResultImpl(infoboxReadDataAssocArrayType);
+    return new InfoboxReadResultImpl(marshallPairs(selectedKeys, getValues(
+        selectedKeys, cmdCtx), readPairs.isValuesAreXMLEntities()));
   }
-
+  
   /**
    * Read the value specified by <code>readPairs</code>.
    * 
@@ -213,12 +203,7 @@ public abstract class AbstractAssocArrayInfobox extends AbstractInfoboxImpl
   protected InfoboxReadResult readValue(ReadValue readValue, SLCommandContext cmdCtx) throws SLCommandException {
     
     if (readValue.isValueIsXMLEntity() && !isValuesAreXMLEntities()) {
-      log.info("Got valuesAreXMLEntities=" + readValue + " but infobox type is binary.");
-      throw new SLCommandException(4010);
-    }
-    
-    if (!readValue.isValueIsXMLEntity() && isValuesAreXMLEntities()) {
-      log.info("Got valuesAreXMLEntities=" + readValue + " but infobox type is XML.");
+      log.info("Got valuesAreXMLEntities=" + readValue.isValueIsXMLEntity() + " but infobox type is binary.");
       throw new SLCommandException(4010);
     }
     
@@ -230,24 +215,59 @@ public abstract class AbstractAssocArrayInfobox extends AbstractInfoboxImpl
       selectedKeys = Collections.emptyList();
     }
     
+    return new InfoboxReadResultImpl(marshallPairs(selectedKeys, getValues(
+        selectedKeys, cmdCtx), readValue.isValueIsXMLEntity()));
+    
+  }
+  
+  protected InfoboxReadDataAssocArrayType marshallPairs(List<String> selectedKeys, Map<String, Object> values, boolean areXMLEntities) throws SLCommandException {
+    
     ObjectFactory objectFactory = new ObjectFactory();
-
+    
     InfoboxReadDataAssocArrayType infoboxReadDataAssocArrayType = objectFactory.createInfoboxReadDataAssocArrayType();
     
-    Map<String, Object> values = getValues(selectedKeys, cmdCtx);
     for (String key : selectedKeys) {
       InfoboxAssocArrayPairType infoboxAssocArrayPairType = objectFactory.createInfoboxAssocArrayPairType();
       infoboxAssocArrayPairType.setKey(key);
+     
       Object value = values.get(key);
-      if (value instanceof byte[]) {
-        infoboxAssocArrayPairType.setBase64Content((byte[]) value);
+      if (areXMLEntities) {
+        if (value instanceof byte[]) {
+          log.info("Got valuesAreXMLEntities=" + areXMLEntities + " but infobox type is binary.");
+          throw new SLCommandException(4122);
+        } else {
+          XMLContentType contentType = objectFactory.createXMLContentType();
+          contentType.getContent().add(value);
+          infoboxAssocArrayPairType.setXMLContent(contentType);
+        }
       } else {
-        infoboxAssocArrayPairType.setXMLContent((XMLContentType) value);
+        infoboxAssocArrayPairType.setBase64Content((value instanceof byte[]) ? (byte[]) value : marshallValue(value));
       }
+      
       infoboxReadDataAssocArrayType.getPair().add(infoboxAssocArrayPairType);
     }
+
+    return infoboxReadDataAssocArrayType;
     
-    return new InfoboxReadResultImpl(infoboxReadDataAssocArrayType);
+  }
+
+  protected byte[] marshallValue(Object jaxbElement) throws SLCommandException {
+    SLCommandFactory commandFactory = SLCommandFactory.getInstance();
+    JAXBContext jaxbContext = commandFactory.getJaxbContext();
+    
+    ByteArrayOutputStream result;
+    try {
+      Marshaller marshaller = jaxbContext.createMarshaller();
+      
+      result = new ByteArrayOutputStream();
+      marshaller.marshal(jaxbElement, result);
+    } catch (JAXBException e) {
+      log.info("Failed to marshall infobox content.", e);
+      throw new SLCommandException(4122);
+    }
+    
+    return result.toByteArray();
+  
   }
 
   @Override
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImpl.java
new file mode 100644
index 00000000..7e204632
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImpl.java
@@ -0,0 +1,323 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.bku.slcommands.impl;
+
+import iaik.asn1.ASN;
+import iaik.asn1.ASN1Object;
+import iaik.asn1.CodingException;
+import iaik.asn1.DerCoder;
+import iaik.asn1.NumericString;
+import iaik.asn1.OCTET_STRING;
+import iaik.asn1.ObjectID;
+import iaik.asn1.SEQUENCE;
+import iaik.asn1.SET;
+import iaik.asn1.UNKNOWN;
+import iaik.asn1.structures.ChoiceOfTime;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.charset.Charset;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.TimeZone;
+
+import javax.xml.datatype.DatatypeFactory;
+import javax.xml.datatype.XMLGregorianCalendar;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import at.buergerkarte.namespaces.cardchannel.AttributeList;
+import at.buergerkarte.namespaces.cardchannel.AttributeType;
+import at.buergerkarte.namespaces.cardchannel.ObjectFactory;
+import at.gv.egiz.bku.slcommands.SLCommandContext;
+import at.gv.egiz.bku.slexceptions.SLCommandException;
+import at.gv.egiz.bku.slexceptions.SLExceptionMessages;
+import at.gv.egiz.stal.InfoboxReadRequest;
+import at.gv.egiz.stal.InfoboxReadResponse;
+import at.gv.egiz.stal.STALRequest;
+
+/**
+ * An implementation of the {@link Infobox} <em>Certificates</em> as 
+ * specified in Security Layer 1.2. 
+ * 
+ * @author mcentner
+ */
+public class SVPersonendatenInfoboxImpl extends AbstractAssocArrayInfobox {
+  
+  /**
+   * Logging facility.
+   */
+  private static Log log = LogFactory.getLog(SVPersonendatenInfoboxImpl.class);
+
+  public static final String EHIC = "EHIC";
+  
+  public static final String GRUNDDATEN = "Grunddaten";
+  
+  public static final String STATUS = "Status";
+  
+  public static final String SV_PERSONENBINDUNG = "SV-Personenbindung";
+  
+  /**
+   * The valid keys.
+   */
+  public static final String[] KEYS = new String[] {
+    GRUNDDATEN, EHIC, STATUS, SV_PERSONENBINDUNG
+  };
+
+  @Override
+  public String getIdentifier() {
+    return "SV-Personendaten";
+  }
+
+  @Override
+  public String[] getKeys() {
+    return KEYS;
+  }
+
+  @Override
+  public boolean isValuesAreXMLEntities() {
+    return true;
+  }
+
+  @Override
+  public Map<String, Object> getValues(List<String> keys, SLCommandContext cmdCtx) throws SLCommandException {
+    
+    STALHelper stalHelper = new STALHelper(cmdCtx.getSTAL());
+    
+    if (keys != null && !keys.isEmpty()) {
+      
+      List<STALRequest> stalRequests = new ArrayList<STALRequest>();
+
+      // get values
+      InfoboxReadRequest infoboxReadRequest;
+      for (int i = 0; i < keys.size(); i++) {
+        infoboxReadRequest = new InfoboxReadRequest();
+        infoboxReadRequest.setInfoboxIdentifier(keys.get(i));
+        stalRequests.add(infoboxReadRequest);
+      }
+
+      stalHelper.transmitSTALRequest(stalRequests);
+
+      Map<String, Object> values = new HashMap<String, Object>();
+
+      try {
+        for (int i = 0; i < keys.size(); i++) {
+          
+          String key = keys.get(i);
+          InfoboxReadResponse nextResponse = (InfoboxReadResponse) stalHelper.nextResponse(InfoboxReadResponse.class);
+
+          
+          ObjectFactory objectFactory = new ObjectFactory();
+          
+          if (EHIC.equals(key)) {
+            AttributeList attributeList = createAttributeList(nextResponse.getInfoboxValue());
+            values.put(key, objectFactory.createEHIC(attributeList));
+          } else if (GRUNDDATEN.equals(key)) {
+            AttributeList attributeList = createAttributeList(nextResponse.getInfoboxValue());
+            values.put(key, objectFactory.createGrunddaten(attributeList));
+          } else if (SV_PERSONENBINDUNG.equals(key)) {
+            values.put(key, objectFactory.createSVPersonenbindung(nextResponse.getInfoboxValue()));
+          } else if (STATUS.equals(key)) {
+            AttributeList attributeList = createAttributeListFromRecords(nextResponse.getInfoboxValue());
+            values.put(key, objectFactory.createStatus(attributeList));
+          }
+          
+        }
+      } catch (CodingException e) {
+        log.info("Failed to decode '" + getIdentifier() + "' infobox.", e);
+        throw new SLCommandException(4000,
+            SLExceptionMessages.EC4000_UNCLASSIFIED_INFOBOX_INVALID,
+            new Object[] { "IdentityLink" });
+
+      }
+      
+      return values;
+      
+    } else {
+      
+      return new HashMap<String, Object>();
+      
+    }
+    
+    
+  }
+  
+  public static AttributeList createAttributeList(byte[] infoboxValue) throws CodingException {
+    
+    ObjectFactory objectFactory = new ObjectFactory();
+    
+    ASN1Object asn1 = DerCoder.decode(infoboxValue);
+    
+    AttributeList attributeList = objectFactory.createAttributeList();
+    List<AttributeType> attributes = attributeList.getAttribute();
+    
+    if (asn1.isA(ASN.SEQUENCE)) {
+      for (int i = 0; i < ((SEQUENCE) asn1).countComponents(); i++) {
+
+        AttributeType attributeType = objectFactory.createAttributeType();
+
+        if (asn1.getComponentAt(i).isA(ASN.SEQUENCE)) {
+          SEQUENCE attribute = (SEQUENCE) asn1.getComponentAt(i);
+          if (attribute.getComponentAt(0).isA(ASN.ObjectID)) {
+            ObjectID objectId = (ObjectID) attribute.getComponentAt(0);
+            attributeType.setOid("urn:oid:" + objectId.getID());
+          }
+          if (attribute.getComponentAt(1).isA(ASN.SET)) {
+            SET values = (SET) attribute.getComponentAt(1);
+            for (int j = 0; j < values.countComponents(); j++) {
+              setAttributeValue(attributeType, values.getComponentAt(j));
+            }
+          }
+        }
+        
+        attributes.add(attributeType);
+        
+      }
+      
+    }
+    
+    return attributeList;
+    
+  }
+  
+  public static AttributeList createAttributeListFromRecords(byte[] infoboxValue) throws CodingException {
+    
+    ObjectFactory objectFactory = new ObjectFactory();
+
+    AttributeList attributeList = objectFactory.createAttributeList();
+    List<AttributeType> attributes = attributeList.getAttribute();
+
+    byte[] records = infoboxValue;
+    
+    while (records != null && records.length > 0) {
+
+      int length;
+      
+      if (records[0] != 0x00) {
+        
+        ASN1Object asn1 = DerCoder.decode(records);
+
+        AttributeType attributeType = objectFactory.createAttributeType();
+
+        if (asn1.isA(ASN.SEQUENCE)) {
+          SEQUENCE attribute = (SEQUENCE) asn1;
+          if (attribute.getComponentAt(0).isA(ASN.ObjectID)) {
+            ObjectID objectId = (ObjectID) attribute.getComponentAt(0);
+            attributeType.setOid("urn:oid:" + objectId.getID());
+          }
+          if (attribute.getComponentAt(1).isA(ASN.SET)) {
+            SET values = (SET) attribute.getComponentAt(1);
+            for (int j = 0; j < values.countComponents(); j++) {
+              setAttributeValue(attributeType, values.getComponentAt(j));
+            }
+          }
+        }
+        
+        attributes.add(attributeType);
+
+        length = DerCoder.encode(asn1).length;
+
+      } else {
+        length = 1;
+      }
+      
+      if (length < records.length) {
+        records = Arrays.copyOfRange(records, length + 1, records.length);
+      } else {
+        records = null;
+      }
+      
+    }
+      
+    return attributeList;
+    
+  }
+  
+  private static void setAttributeValue(AttributeType attributeType, ASN1Object value) {
+    
+    if (value.isA(ASN.OCTET_STRING)) {
+      
+      try {
+        byte[] octets = ((OCTET_STRING) value).getWholeValue();
+        attributeType.setLatin1String(new String(octets, Charset.forName("ISO-8859-1")));
+      } catch (IOException e) {
+        log.info("Failed to set Latin1String.", e);
+      }
+      
+    } else if (value.isA(ASN.NumericString)) {
+      
+      attributeType.setNumericString((String) ((NumericString) value).getValue());
+      
+    } else if (value.isA(ASN.GeneralizedTime)) {
+      
+      try {
+        ChoiceOfTime choiceOfTime = new ChoiceOfTime(value);
+        
+        GregorianCalendar gregorianCalendar = new GregorianCalendar();
+        gregorianCalendar.setTimeZone(TimeZone.getTimeZone("UTC"));
+        gregorianCalendar.setTime(choiceOfTime.getDate());
+
+        DatatypeFactory datatypeFactory = DatatypeFactory.newInstance();
+        XMLGregorianCalendar xmlGregorianCalendar = datatypeFactory.newXMLGregorianCalendar(gregorianCalendar);
+        xmlGregorianCalendar.setTimezone(0);
+        
+        attributeType.setGeneralizedTime(xmlGregorianCalendar);
+      } catch (Exception e) {
+        log.info("Failed to set GeneralizedTime.", e);
+      }
+      
+    } else if (value.isA(ASN.INTEGER)) {
+      
+      attributeType.setInteger((BigInteger) value.getValue());
+      
+    } else if (value.isA(ASN.UTF8String)) {
+      
+      attributeType.setUTF8String((String) value.getValue());
+      
+    } else if (value.isA(ASN.PrintableString)) {
+      
+      attributeType.setPrintableString((String) value.getValue());
+      
+    } else if (value.isA(ASN.UNKNOWN)) {
+      
+      byte[] bytes = (byte[]) ((UNKNOWN) value).getValue();
+      
+      try {
+        BigInteger bigInteger = new BigInteger(bytes);
+        String string = bigInteger.toString(16);
+        
+        Date date = new SimpleDateFormat("yyyyMMdd").parse(string);
+        attributeType.setDate(new SimpleDateFormat("yyyy-MM-dd").format(date));
+      } catch (Exception e) {
+        log.info("Failed to set Date.", e);
+      }
+    }
+    
+  }
+
+    
+    
+  
+
+}
diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImplTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImplTest.java
new file mode 100644
index 00000000..f9c60b86
--- /dev/null
+++ b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImplTest.java
@@ -0,0 +1,147 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.bku.slcommands.impl;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import iaik.asn1.CodingException;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Marshaller;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
+
+import org.junit.Ignore;
+import org.junit.Test;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+
+import at.buergerkarte.namespaces.cardchannel.AttributeList;
+import at.buergerkarte.namespaces.cardchannel.ObjectFactory;
+import at.gv.egiz.bku.slcommands.ErrorResult;
+import at.gv.egiz.bku.slcommands.InfoboxReadCommand;
+import at.gv.egiz.bku.slcommands.SLCommand;
+import at.gv.egiz.bku.slcommands.SLCommandContext;
+import at.gv.egiz.bku.slcommands.SLCommandFactory;
+import at.gv.egiz.bku.slcommands.SLResult;
+import at.gv.egiz.bku.slexceptions.SLCommandException;
+import at.gv.egiz.bku.slexceptions.SLRequestException;
+import at.gv.egiz.bku.slexceptions.SLRuntimeException;
+import at.gv.egiz.stal.STAL;
+import at.gv.egiz.stal.dummy.DummySTAL;
+
+//@Ignore
+public class SVPersonendatenInfoboxImplTest {
+
+  private byte[] EHIC = new byte[] {
+      (byte) 0x30, (byte) 0x6b, (byte) 0x30, (byte) 0x12, (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x28, 
+      (byte) 0x00, (byte) 0x0a, (byte) 0x01, (byte) 0x04, (byte) 0x01, (byte) 0x14, (byte) 0x31, (byte) 0x06, 
+      (byte) 0x04, (byte) 0x04, (byte) 0x42, (byte) 0x47, (byte) 0x4b, (byte) 0x4b, (byte) 0x30, (byte) 0x12, 
+      (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x28, (byte) 0x00, (byte) 0x0a, (byte) 0x01, (byte) 0x04, 
+      (byte) 0x01, (byte) 0x15, (byte) 0x31, (byte) 0x06, (byte) 0x12, (byte) 0x04, (byte) 0x31, (byte) 0x33, 
+      (byte) 0x30, (byte) 0x30, (byte) 0x30, (byte) 0x22, (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x28, 
+      (byte) 0x00, (byte) 0x0a, (byte) 0x01, (byte) 0x04, (byte) 0x01, (byte) 0x16, (byte) 0x31, (byte) 0x16, 
+      (byte) 0x12, (byte) 0x14, (byte) 0x38, (byte) 0x30, (byte) 0x30, (byte) 0x34, (byte) 0x30, (byte) 0x30, 
+      (byte) 0x30, (byte) 0x30, (byte) 0x30, (byte) 0x30, (byte) 0x32, (byte) 0x33, (byte) 0x30, (byte) 0x30, 
+      (byte) 0x34, (byte) 0x37, (byte) 0x30, (byte) 0x37, (byte) 0x35, (byte) 0x39, (byte) 0x30, (byte) 0x1d, 
+      (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x28, (byte) 0x00, (byte) 0x0a, (byte) 0x01, (byte) 0x04, 
+      (byte) 0x01, (byte) 0x17, (byte) 0x31, (byte) 0x11, (byte) 0x18, (byte) 0x0f, (byte) 0x32, (byte) 0x30, 
+      (byte) 0x30, (byte) 0x35, (byte) 0x30, (byte) 0x37, (byte) 0x30, (byte) 0x31, (byte) 0x31, (byte) 0x32, 
+      (byte) 0x30, (byte) 0x30, (byte) 0x30, (byte) 0x30, (byte) 0x5a
+    };
+  
+  private static ApplicationContext appCtx;
+  
+  private SLCommandFactory factory;
+  
+  private STAL stal;
+  
+//  @BeforeClass
+  public static void setUpClass() {
+    appCtx = new ClassPathXmlApplicationContext("at/gv/egiz/bku/slcommands/testApplicationContext.xml");
+  }
+
+//  @Before
+  public void setUp() {
+    factory = SLCommandFactory.getInstance();
+    stal = new DummySTAL();
+  }
+
+  @Test
+  public void testEHIC() throws SLCommandException, JAXBException, CodingException, IOException {
+    
+    AttributeList attributeList = SVPersonendatenInfoboxImpl.createAttributeList(EHIC);
+    
+    JAXBElement<AttributeList> ehic = new ObjectFactory().createEHIC(attributeList);
+    
+    JAXBContext jaxbContext = SLCommandFactory.getInstance().getJaxbContext();
+    
+    Marshaller marshaller = jaxbContext.createMarshaller();
+    
+    marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE);
+    
+    marshaller.marshal(ehic, System.out);
+    
+  }
+  
+  @Ignore
+  @Test
+  public void testInfboxReadRequest() throws SLCommandException, SLRuntimeException, SLRequestException {
+    InputStream inputStream = getClass().getClassLoader().getResourceAsStream("at/gv/egiz/bku/slcommands/infoboxreadcommand/IdentityLink.Binary.xml");
+    assertNotNull(inputStream);
+    
+    SLCommandContext context = new SLCommandContext();
+    context.setSTAL(stal);
+    SLCommand command = factory.createSLCommand(new StreamSource(inputStream), context);
+    assertTrue(command instanceof InfoboxReadCommand);
+    
+    SLResult result = command.execute();
+    result.writeTo(new StreamResult(System.out));
+  }
+  
+  @Ignore
+  @Test(expected=SLCommandException.class)
+  public void testInfboxReadRequestInvalid1() throws SLCommandException, SLRuntimeException, SLRequestException {
+    InputStream inputStream = getClass().getClassLoader().getResourceAsStream("at/gv/egiz/bku/slcommands/infoboxreadcommand/IdentityLink.Binary.Invalid-1.xml");
+    assertNotNull(inputStream);
+    
+    SLCommandContext context = new SLCommandContext();
+    context.setSTAL(stal);
+    SLCommand command = factory.createSLCommand(new StreamSource(inputStream), context);
+    assertTrue(command instanceof InfoboxReadCommand);
+  }
+
+  @Ignore
+  public void testInfboxReadRequestInvalid2() throws SLCommandException, SLRuntimeException, SLRequestException {
+    InputStream inputStream = getClass().getClassLoader().getResourceAsStream("at/gv/egiz/bku/slcommands/infoboxreadcommand/IdentityLink.Binary.Invalid-2.xml");
+    assertNotNull(inputStream);
+    
+    SLCommandContext context = new SLCommandContext();
+    context.setSTAL(stal);
+    SLCommand command = factory.createSLCommand(new StreamSource(inputStream), context);
+    assertTrue(command instanceof InfoboxReadCommand);
+    
+    SLResult result = command.execute();
+    assertTrue(result instanceof ErrorResult);
+  }
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
index 2baff834..6d96599c 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
@@ -30,7 +30,6 @@ package at.gv.egiz.smcc;
 
 import java.nio.charset.Charset;
 
-import javax.smartcardio.Card;
 import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
 import javax.smartcardio.CommandAPDU;
@@ -110,41 +109,47 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
   public byte[] getCertificate(KeyboxName keyboxName)
       throws SignatureCardException, InterruptedException {
   
-    byte[] aid;
-    byte[] efc;
-    int maxsize;
-    if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
-      aid = AID_SIG;
-      efc = EF_C_CH_DS;
-      maxsize = EF_C_CH_DS_MAX_SIZE;
-    } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
-      aid = AID_DEC;
-      efc = EF_C_CH_EKEY;
-      maxsize = EF_C_CH_EKEY_MAX_SIZE;
-    } else {
-      throw new IllegalArgumentException("Keybox " + keyboxName
-          + " not supported.");
-    }
-
-    log.debug("Get certificate for keybox '" + keyboxName.getKeyboxName() + "'" +
-        " (AID=" + toString(aid) + " EF=" + toString(efc) + ").");
-    
     try {
-      Card card = getCardChannel().getCard();
-      try {
-        card.beginExclusive();
-        return readTLVFile(aid, efc, maxsize + 15000);
-      } catch (FileNotFoundException e) {
-        // if certificate is not present, 
-        // the citizen card application has not been activated
-        throw new NotActivatedException();
-      } finally {
-        card.endExclusive();
+      
+      if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
+        
+        try {
+          getCard().beginExclusive();
+          byte[] certificate = readTLVFile(AID_SIG, EF_C_CH_DS, EF_C_CH_DS_MAX_SIZE);
+          if (certificate == null) {
+            throw new NotActivatedException();
+          }
+          return certificate;
+        } catch (FileNotFoundException e) {
+          throw new NotActivatedException();
+        } finally {
+          getCard().endExclusive();
+        }
+        
+      } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
+        
+        try {
+          getCard().beginExclusive();
+          byte[] certificate = readTLVFile(AID_DEC, EF_C_CH_EKEY, EF_C_CH_EKEY_MAX_SIZE);
+          if (certificate == null) {
+            throw new NotActivatedException();
+          }
+          return certificate;
+        } catch (FileNotFoundException e) {
+          throw new NotActivatedException();
+        } finally {
+          getCard().endExclusive();
+        }
+        
+      } else {
+        throw new IllegalArgumentException("Keybox " + keyboxName
+            + " not supported.");
       }
+
     } catch (CardException e) {
-      throw new SignatureCardException("Failed to get exclusive card access.");
+      log.warn(e);
+      throw new SignatureCardException("Failed to access card.", e);
     }
-
     
   }
 
@@ -155,30 +160,47 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
   public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
       throws SignatureCardException, InterruptedException {
   
-    if ("IdentityLink".equals(infobox)) {
-  
-      PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("inf.pin.name"));
-      
-      try {
-        Card card = getCardChannel().getCard();
-        try {
-          card.beginExclusive();
-          return readTLVFilePIN(AID_DEC, EF_INFOBOX, KID_PIN_INF, provider,
-              spec, EF_INFOBOX_MAX_SIZE);
-        } catch (FileNotFoundException e) {
-          // if certificate is not present, 
-          // the citizen card application has not been activated
-          throw new NotActivatedException();
-        } finally {
-          card.endExclusive();
-        }
-      } catch (CardException e) {
-        throw new SignatureCardException("Failed to get exclusive card access.");
+    try {
+      if ("IdentityLink".equals(infobox)) {
+ 
+        PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("inf.pin.name"));
+        
+        int retries = -1;
+        String pin = null;
+        boolean pinRequiered = false;
+
+        do {
+          if (pinRequiered) {
+            pin = provider.providePIN(spec, retries);
+            if (pin == null) {
+              throw new CancelledException();
+            }
+          }
+          try {
+            getCard().beginExclusive();
+            return readTLVFile(AID_DEC, EF_INFOBOX, pin, KID_PIN_INF, EF_INFOBOX_MAX_SIZE);
+          } catch (FileNotFoundException e) {
+            throw new NotActivatedException();
+          } catch (SecurityStatusNotSatisfiedException e) {
+            pinRequiered = true;
+          } catch (VerificationFailedException e) {
+            pinRequiered = true;
+            retries = e.getRetries();
+          } finally {
+            getCard().endExclusive();
+          }
+        } while (retries != 0);
+
+        throw new LockedException();
+
+      } else {
+        throw new IllegalArgumentException("Infobox '" + infobox
+            + "' not supported.");
       }
-  
-    } else {
-      throw new IllegalArgumentException("Infobox '" + infobox
-          + "' not supported.");
+
+    } catch (CardException e) {
+      log.warn(e);
+      throw new SignatureCardException("Failed to access card.", e);
     }
   
   }
@@ -192,68 +214,103 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
     }
   
     try {
-      Card card = getCardChannel().getCard();
-      try {
-        card.beginExclusive();
-        
-        if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
-
-          // SELECT DF
-          selectFileFID(DF_SIG);
-          // VERIFY
-          verifyPIN(provider, new PINSpec(6, 10, "[0-9]", getResourceBundle()
-              .getString("sig.pin.name")), KID_PIN_SIG);
-          // MSE: SET DST
-          mseSetDST(0x81, 0xb6, DST_SIG);
-          // PSO: HASH
-          psoHash(hash);
-          // PSO: COMPUTE DIGITAL SIGNATURE
-          return psoComputDigitalSiganture();
       
-        } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
-
-          // SELECT DF
-          selectFileFID(DF_DEC);
-          // VERIFY
-          verifyPIN(provider, new PINSpec(4, 4, "[0-9]", getResourceBundle()
-              .getString("dec.pin.name")), KID_PIN_DEC);
-          // MSE: SET DST
-          mseSetDST(0x41, 0xa4, DST_DEC);
-          // INTERNAL AUTHENTICATE
-          return internalAuthenticate(hash);
-
-          
-          // 00 88 10 00 23 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 54 26 F0 EA  AF EA F0 4E D4 A1 AD BF 66 D4 A5 9B 45 6F AF 79 00
-          // 00 88 10 00 23 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 DF 8C AB 8F E2 AD AC 7B 5A AF BE E9 44 5E 95 99 FA AF 2F 48 00
-          
-        } else {
-          throw new IllegalArgumentException("KeyboxName '" + keyboxName
-              + "' not supported.");
-        }
+      if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
+
+        PINSpec spec = new PINSpec(6, 10, "[0-9]", getResourceBundle().getString("sig.pin.name"));
+        
+        int retries = -1;
+        String pin = null;
+
+        do {
+          pin = provider.providePIN(spec, retries);
+          if (pin == null) {
+            throw new CancelledException();
+          }
+          try {
+            getCard().beginExclusive();
+            
+            // SELECT DF
+            selectFileFID(DF_SIG);
+            // VERIFY
+            retries = verifyPIN(pin, KID_PIN_SIG);
+            if (retries != -1) {
+              throw new VerificationFailedException(retries);
+            }
+            // MSE: SET DST
+            mseSetDST(0x81, 0xb6, DST_SIG);
+            // PSO: HASH
+            psoHash(hash);
+            // PSO: COMPUTE DIGITAL SIGNATURE
+            return psoComputDigitalSiganture();
+
+          } catch (SecurityStatusNotSatisfiedException e) {
+            retries = verifyPIN(null, KID_PIN_SIG);
+          } catch (VerificationFailedException e) {
+            retries = e.getRetries();
+          } finally {
+            getCard().endExclusive();
+          }
+        } while (retries != 0);
+
+        throw new LockedException();
+        
+    
+      } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
         
-      } catch (FileNotFoundException e) {
-        // if certificate is not present, 
-        // the citizen card application has not been activated
-        throw new NotActivatedException();
-      } finally {
-        card.endExclusive();
+        PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("dec.pin.name"));
+
+        int retries = -1;
+        String pin = null;
+        boolean pinRequiered = false;
+
+        do {
+          if (pinRequiered) {
+            pin = provider.providePIN(spec, retries);
+            if (pin == null) {
+              throw new CancelledException();
+            }
+          }
+          try {
+            getCard().beginExclusive();
+            
+            // SELECT DF
+            selectFileFID(DF_DEC);
+            // VERIFY
+            retries = verifyPIN(pin, KID_PIN_DEC);
+            if (retries != -1) {
+              throw new VerificationFailedException(retries);
+            }
+            // MSE: SET DST
+            mseSetDST(0x41, 0xa4, DST_DEC);
+            // INTERNAL AUTHENTICATE
+            return internalAuthenticate(hash);
+            
+          } catch (FileNotFoundException e) {
+            throw new NotActivatedException();
+          } catch (SecurityStatusNotSatisfiedException e) {
+            pinRequiered = true;
+            retries = verifyPIN(null, KID_PIN_DEC);
+          } catch (VerificationFailedException e) {
+            pinRequiered = true;
+            retries = e.getRetries();
+          } finally {
+            getCard().endExclusive();
+          }
+        } while (retries != 0);
+
+        throw new LockedException();
+
+      } else {
+        throw new IllegalArgumentException("KeyboxName '" + keyboxName
+            + "' not supported.");
       }
+      
     } catch (CardException e) {
-      throw new SignatureCardException("Failed to get exclusive card access.");
-    }
-
-  }
-
-  protected byte[] selectFileAID(byte[] fid) throws CardException, SignatureCardException {
-    CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x04,
-        0x00, fid, 256));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("Failed to select file (AID="
-          + toString(fid) + "): SW=" + Integer.toHexString(resp.getSW()) + ".");
-    } else {
-      return resp.getBytes();
-    }
+      log.warn(e);
+      throw new SignatureCardException("Failed to access card.", e);
+    } 
+      
   }
 
   protected ResponseAPDU selectFileFID(byte[] fid) throws CardException, SignatureCardException {
@@ -262,6 +319,7 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
         0x00, fid, 256));
   }
 
+  @Override
   protected int verifyPIN(String pin, byte kid) throws CardException, SignatureCardException {
     
     CardChannel channel = getCardChannel();
@@ -290,35 +348,7 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
 
   }
   
-  /**
-   * 
-   * @param pinProvider
-   * @param spec
-   *          the PIN spec to be given to the pinProvider
-   * @param kid
-   *          the KID (key identifier) of the PIN to be verified
-   * @throws CancelledException
-   *           if the user canceld the operation
-   * @throws javax.smartcardio.CardException
-   * @throws at.gv.egiz.smcc.SignatureCardException
-   */
-  @Override
-  protected void verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid)
-      throws CardException, CancelledException, SignatureCardException, InterruptedException {
-
-    int retries = -1;
-    do {
-      String pin = pinProvider.providePIN(spec, retries);
-      if (pin == null) {
-        // user canceled operation
-        throw new CancelledException("User canceled operation");
-      } 
-      retries = verifyPIN(pin, kid);
-    } while (retries > 0);
-      
-  }
-    
-  void mseSetDST(int p1, int p2, byte[] dst) throws CardException, SignatureCardException {
+  private void mseSetDST(int p1, int p2, byte[] dst) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x22, p1,
         p2, dst));
@@ -328,7 +358,7 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
     }
   }
 
-  void psoHash(byte[] hash) throws CardException, SignatureCardException {
+  private void psoHash(byte[] hash) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x2A, 0x90,
         0x81, hash));
@@ -338,7 +368,7 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
     }
   }
 
-  byte[] psoComputDigitalSiganture() throws CardException,
+  private byte[] psoComputDigitalSiganture() throws CardException,
       SignatureCardException {
     CardChannel channel = getCardChannel();
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x2A, 0x9E,
@@ -352,7 +382,7 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
     }
   }
   
-  byte[] internalAuthenticate(byte[] hash) throws CardException, SignatureCardException {
+  private byte[] internalAuthenticate(byte[] hash) throws CardException, SignatureCardException {
     byte[] digestInfo = new byte[] {
         (byte) 0x30, (byte) 0x21, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x05, (byte) 0x2B, (byte) 0x0E, 
         (byte) 0x03, (byte) 0x02, (byte) 0x1A, (byte) 0x05, (byte) 0x00, (byte) 0x04
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
index e34c4899..633cc90d 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
@@ -28,6 +28,8 @@
 //
 package at.gv.egiz.smcc;
 
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.Locale;
 import java.util.ResourceBundle;
@@ -79,45 +81,56 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     return sb.toString();
   }
 
-  protected abstract byte[] selectFileAID(byte[] fid) throws CardException,
-      SignatureCardException;
-
-  protected abstract ResponseAPDU selectFileFID(byte[] fid) throws CardException,
-      SignatureCardException;
-
   /**
-   * VERIFY PIN
+   * Select an application using AID as DF name according to ISO/IEC 7816-4
+   * section 8.2.2.2.
    * 
-   * <p>
-   * Implementations of this method should call
-   * {@link PINProvider#providePIN(PINSpec, int)} to retrieve the PIN entered by
-   * the user and VERIFY PIN on the smart card until the PIN has been
-   * successfully verified.
-   * </p>
+   * @param dfName
+   *          AID of the application to be selected
    * 
-   * @param pinProvider
-   *          the PINProvider
-   * @param spec
-   *          the PINSpec
-   * @param kid
-   *          the key ID (KID) of the PIN to verify
+   * @return the response data of the response APDU if SW=0x9000
    * 
    * @throws CardException
-   *           if smart card communication fails
-   * 
-   * @throws CancelledException
-   *           if the PINProvider indicated that the user canceled the PIN entry
-   * @throws NotActivatedException
-   *           if the card application has not been activated
-   * @throws LockedException
-   *           if the card application is locked
+   *           if card communication fails
    * 
    * @throws SignatureCardException
-   *           if VERIFY PIN fails
+   *           if application selection fails (e.g. an application with the
+   *           given AID is not present on the card)
    */
-  protected abstract void verifyPIN(PINProvider pinProvider, PINSpec spec,
-      byte kid) throws CardException, SignatureCardException, InterruptedException;
+  protected byte[] selectFileAID(byte[] dfName) throws CardException, SignatureCardException {
+    CardChannel channel = getCardChannel();
+    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x04,
+        0x00, dfName, 256));
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("Failed to select application AID="
+          + toString(dfName) + ": SW=" + Integer.toHexString(resp.getSW()) + ".");
+    } else {
+      return resp.getBytes();
+    }
+  }
+
+  protected abstract ResponseAPDU selectFileFID(byte[] fid) throws CardException,
+      SignatureCardException;
 
+  protected abstract int verifyPIN(String pin, byte kid) throws CardException, SignatureCardException;
+
+  
+  protected byte[] readRecord(int recordNumber) throws SignatureCardException, CardException {
+    return readRecord(getCardChannel(), recordNumber);
+  }
+
+  protected byte[] readRecord(CardChannel channel, int recordNumber) throws SignatureCardException, CardException {
+    
+    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xB2,
+        recordNumber, 0x04, 256));
+    if (resp.getSW() == 0x9000) {
+      return resp.getData();
+    } else {
+      throw new SignatureCardException("Failed to read records. SW=" + Integer.toHexString(resp.getSW()));
+    }
+     
+  }
+  
   protected byte[] readBinary(CardChannel channel, int offset, int len)
       throws CardException, SignatureCardException {
 
@@ -125,6 +138,8 @@ public abstract class AbstractSignatureCard implements SignatureCard {
         0x7F & (offset >> 8), offset & 0xFF, len));
     if (resp.getSW() == 0x9000) {
       return resp.getData();
+    } else if (resp.getSW() == 0x6982) {
+      throw new SecurityStatusNotSatisfiedException();
     } else {
       throw new SignatureCardException("Failed to read bytes (" + offset + "+"
           + len + "): SW=" + Integer.toHexString(resp.getSW()));
@@ -188,43 +203,10 @@ public abstract class AbstractSignatureCard implements SignatureCard {
 
   }
 
-  /**
-   * Read the content of a TLV file.
-   * 
-   * @param aid the application ID (AID)
-   * @param ef the elementary file (EF)
-   * @param maxLength the maximum length of the file
-   * 
-   * @return the content of the file
-   * 
-   * @throws SignatureCardException
-   */
-  protected byte[] readTLVFile(byte[] aid, byte[] ef, int maxLength)
-      throws SignatureCardException, InterruptedException {
-    return readTLVFilePIN(aid, ef, (byte) 0, null, null, maxLength);
-  }
-
-  
-  /**
-   * Read the content of a TLV file wich may require a PIN.
-   * 
-   * @param aid the application ID (AID)
-   * @param ef the elementary file (EF)
-   * @param kid the key ID (KID) of the corresponding PIN
-   * @param provider the PINProvider
-   * @param spec the PINSpec
-   * @param maxLength the maximum length of the file
-   * 
-   * @return the content of the file
-   * 
-   * @throws SignatureCardException
-   */
-  protected byte[] readTLVFilePIN(byte[] aid, byte[] ef, byte kid,
-      PINProvider provider, PINSpec spec, int maxLength)
-      throws SignatureCardException, InterruptedException {
-
+  protected byte[] readRecords(byte[] aid, byte[] ef, int start, int end) throws SignatureCardException, InterruptedException {
+    
     try {
-
+      
       // SELECT FILE (AID)
       byte[] rb = selectFileAID(aid);
       if (rb[rb.length - 2] != (byte) 0x90 || rb[rb.length - 1] != (byte) 0x00) {
@@ -256,37 +238,89 @@ public abstract class AbstractSignatureCard implements SignatureCard {
             + Integer.toHexString(resp.getSW()) + ").");
         
       }
-
-      // try to READ BINARY
-      byte[] b = new byte[1];
-      int sw = readBinary(0, 1, b);
       
-      if (provider != null && sw == 0x6982) {
-
-        // VERIFY
-        verifyPIN(provider, spec, kid);
-        
-      } else if (sw == 0x9000) {
-        // not expected type
-        if (b[0] != 0x30) {
-          throw new NotActivatedException();
-        }
-      } else {
-        throw new SignatureCardException("READ BINARY failed (SW="
-            + Integer.toHexString(sw) + ").");
+      ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+      
+      for (int i = start; i <= end; i++) {
+        bytes.write(readRecord(i));
       }
-
-      // READ BINARY
-      byte[] data = readBinaryTLV(maxLength, (byte) 0x30);
-
-      return data;
-
+      
+      return bytes.toByteArray();
+      
     } catch (CardException e) {
       throw new SignatureCardException("Failed to acces card.", e);
+    } catch (IOException e) {
+      throw new SignatureCardException("Failed to read records.", e);
     }
-
+    
+  }
+  
+  /**
+   * Read the content of a TLV file.
+   * 
+   * @param aid the application ID (AID)
+   * @param ef the elementary file (EF)
+   * @param maxLength the maximum length of the file
+   * 
+   * @return the content of the file
+   * 
+   * @throws SignatureCardException
+   * @throws CardException 
+   */
+  protected byte[] readTLVFile(byte[] aid, byte[] ef, int maxLength)
+      throws SignatureCardException, InterruptedException, CardException {
+    return readTLVFile(aid, ef, null, (byte) 0, maxLength);
   }
 
+  /**
+   * Read the content of a TLV file wich may require a PIN.
+   * 
+   * @param aid the application ID (AID)
+   * @param ef the elementary file (EF)
+   * @param kid the key ID (KID) of the corresponding PIN
+   * @param provider the PINProvider
+   * @param spec the PINSpec
+   * @param maxLength the maximum length of the file
+   * 
+   * @return the content of the file
+   * 
+   * @throws SignatureCardException
+   * @throws CardException 
+   */
+  protected byte[] readTLVFile(byte[] aid, byte[] ef, String pin, byte kid, int maxLength)
+      throws SignatureCardException, InterruptedException, CardException {
+
+
+    // SELECT FILE (AID)
+    selectFileAID(aid);
+
+    // SELECT FILE (EF)
+    ResponseAPDU resp = selectFileFID(ef);
+    if (resp.getSW() == 0x6a82) {
+      // EF not found
+      throw new FileNotFoundException("EF " + toString(ef) + " not found.");
+    } else if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("SELECT FILE with "
+          + "FID="
+          + toString(ef)
+          + " failed ("
+          + "SW="
+          + Integer.toHexString(resp.getSW()) + ").");
+    }
+
+    // VERIFY
+    if (pin != null) {
+      int retries = verifyPIN(pin, kid);
+      if (retries != -1) {
+        throw new VerificationFailedException(retries);
+      }
+    }
+    
+    return readBinaryTLV(maxLength, (byte) 0x30);
+      
+    
+  }
+  
   /**
    * Transmit the given command APDU using the given card channel.
    * 
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index d6d02475..2a6e90bf 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -31,7 +31,6 @@ package at.gv.egiz.smcc;
 import java.math.BigInteger;
 import java.util.Arrays;
 
-import javax.smartcardio.Card;
 import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
 import javax.smartcardio.CommandAPDU;
@@ -49,6 +48,42 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
 
   public static final byte[] MF = new byte[] { (byte) 0x3F, (byte) 0x00 };
 
+  /**
+   * Application ID <em>SV-Personendaten</em>.
+   */
+  public static final byte[] AID_SV_PERSONENDATEN = new byte[] { 
+    (byte) 0xD0, (byte) 0x40, (byte) 0x00, (byte) 0x00, 
+    (byte) 0x17, (byte) 0x01, (byte) 0x01, (byte) 0x01
+  };
+  
+  /**
+   * File ID <em>Grunddaten</em> ({@link #AID_SV_PERSONENDATEN}).
+   */
+  public static final byte[] FID_GRUNDDATEN = new byte[] {
+    (byte) 0xEF, (byte) 0x01
+  };
+
+  /**
+   * File ID <em>EHIC</em> ({@link #AID_SV_PERSONENDATEN}).
+   */
+  public static final byte[] FID_EHIC = new byte[] {
+    (byte) 0xEF, (byte) 0x02
+  };
+  
+  /**
+   * File ID <em>Status</em> ({@link #AID_SV_PERSONENDATEN}).
+   */
+  public static final byte[] FID_SV_PERSONENBINDUNG = new byte[] {
+    (byte) 0xEF, (byte) 0x03
+  };
+
+  /**
+   * File ID <em>Status</em> ({@link #AID_SV_PERSONENDATEN}).
+   */
+  public static final byte[] FID_STATUS = new byte[] {
+    (byte) 0xEF, (byte) 0x04
+  };
+
   public static final byte[] AID_INFOBOX = new byte[] { (byte) 0xd0,
       (byte) 0x40, (byte) 0x00, (byte) 0x00, (byte) 0x17, (byte) 0x00,
       (byte) 0x18, (byte) 0x01 };
@@ -126,85 +161,134 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
     super("at/gv/egiz/smcc/STARCOSCard");
   }
  
-  /* (non-Javadoc)
-   * @see at.gv.egiz.smcc.SignatureCard#getCertificate(at.gv.egiz.smcc.SignatureCard.KeyboxName)
-   */
   @Override
   public byte[] getCertificate(KeyboxName keyboxName)
       throws SignatureCardException, InterruptedException {
 
-    byte[] aid;
-    byte[] efc;
-    if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
-      aid = AID_DF_SS;
-      efc = EF_C_X509_CH_DS;
-    } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
-      aid = AID_DF_GS;
-      efc = EF_C_X509_CH_AUT;
-    } else {
-      throw new IllegalArgumentException("Keybox " + keyboxName
-          + " not supported.");
-    }
+    try {
+      
+      if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
+        
+        try {
+          getCard().beginExclusive();
+          return readTLVFile(AID_DF_SS, EF_C_X509_CH_DS, 2000);
+        } catch (FileNotFoundException e) {
+          throw new NotActivatedException();
+        } finally {
+          getCard().endExclusive();
+        }
+        
+      } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
 
-    log.debug("Get certificate for keybox '" + keyboxName.getKeyboxName() + "'" +
-        " (AID=" + toString(aid) + " EF=" + toString(efc) + ").");
+        try {
+          getCard().beginExclusive();
+          return readTLVFile(AID_DF_GS, EF_C_X509_CH_AUT, 2000);
+        } catch (FileNotFoundException e) {
+          throw new NotActivatedException();
+        } finally {
+          getCard().endExclusive();
+        }
 
-    try {
-      Card card = getCardChannel().getCard();
-      try {
-        card.beginExclusive();
-        return readTLVFile(aid, efc, 2000);
-      } catch (FileNotFoundException e) {
-        // if certificate is not present, 
-        // the citizen card application has not been activated
-        throw new NotActivatedException();
-      } finally {
-        card.endExclusive();
+      } else {
+        throw new IllegalArgumentException("Keybox " + keyboxName
+            + " not supported.");
       }
+      
     } catch (CardException e) {
-      throw new SignatureCardException("Failed to get exclusive card access.");
+      log.warn(e);
+      throw new SignatureCardException("Failed to access card.", e);
     }
-    
-  }
 
-  /* (non-Javadoc)
-   * @see at.gv.egiz.smcc.SignatureCard#getInfobox(java.lang.String, at.gv.egiz.smcc.PINProvider, java.lang.String)
-   */
+  }
+  
   @Override
   public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
       throws SignatureCardException, InterruptedException {
   
-    if ("IdentityLink".equals(infobox)) {
-  
-      PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
-      
-      try {
-        Card card = getCardChannel().getCard();
+    try {
+      if ("IdentityLink".equals(infobox)) {
+ 
+        PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
+        
+        int retries = -1;
+        String pin = null;
+        boolean pinRequiered = false;
+
+        do {
+          if (pinRequiered) {
+            pin = provider.providePIN(spec, retries);
+            if (pin == null) {
+              throw new CancelledException();
+            }
+          }
+          try {
+            getCard().beginExclusive();
+            return readTLVFile(AID_INFOBOX, EF_INFOBOX, pin, KID_PIN_CARD, 2000);
+          } catch (FileNotFoundException e) {
+            throw new NotActivatedException();
+          } catch (SecurityStatusNotSatisfiedException e) {
+            pinRequiered = true;
+            retries = verifyPIN(null, KID_PIN_CARD);
+          } catch (VerificationFailedException e) {
+            pinRequiered = true;
+            retries = e.getRetries();
+          } finally {
+            getCard().endExclusive();
+          }
+        } while (retries != 0);
+
+        throw new LockedException();
+
+        
+      } else if ("EHIC".equals(infobox)) {
+        
         try {
-          card.beginExclusive();
-          return readTLVFilePIN(AID_INFOBOX, EF_INFOBOX, KID_PIN_CARD,
-              provider, spec, 2000);
-        } catch (FileNotFoundException e) {
-          // if certificate is not present, 
-          // the citizen card application has not been activated
-          throw new NotActivatedException();
+          getCard().beginExclusive();
+          return readTLVFile(AID_SV_PERSONENDATEN, FID_EHIC, 126);
         } finally {
-          card.endExclusive();
+          getCard().endExclusive();
         }
-      } catch (CardException e) {
-        throw new SignatureCardException("Failed to get exclusive card access.");
+        
+      } else if ("Grunddaten".equals(infobox)) {
+        
+        try {
+          getCard().beginExclusive();
+          return readTLVFile(AID_SV_PERSONENDATEN, FID_GRUNDDATEN, 550);
+        } finally {
+          getCard().endExclusive();
+        }
+        
+      } else if ("SV-Personenbindung".equals(infobox)) {
+        
+        try {
+          getCard().beginExclusive();
+          return readTLVFile(AID_SV_PERSONENDATEN, FID_SV_PERSONENBINDUNG, 500);
+        } finally {
+          getCard().endExclusive();
+        }
+        
+      } else if ("Status".equals(infobox)) {
+        
+        try {
+          getCard().beginExclusive();
+          return readRecords(AID_SV_PERSONENDATEN, FID_STATUS, 1, 5);
+        } finally {
+          getCard().endExclusive();
+        }
+        
+      } else {
+        throw new IllegalArgumentException("Infobox '" + infobox
+            + "' not supported.");
       }
       
-    } else {
-      throw new IllegalArgumentException("Infobox '" + infobox
-          + "' not supported.");
+    } catch (CardException e) {
+      log.warn(e);
+      throw new SignatureCardException("Failed to access card.", e);
     }
   
   }
 
-  /* (non-Javadoc)
-   * @see at.gv.egiz.smcc.SignatureCard#createSignature(byte[], at.gv.egiz.smcc.SignatureCard.KeyboxName, at.gv.egiz.smcc.PINProvider)
-   */
+  @Override
   public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
       PINProvider provider) throws SignatureCardException, InterruptedException {
   
@@ -212,72 +296,115 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
       throw new IllegalArgumentException("Hash value must be of length 20.");
     }
   
-    byte[] aid;
-    byte kid;
-    byte[] dst;
-    PINSpec spec;
-    if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
-      aid = AID_DF_SS;
-      kid = KID_PIN_SS;
-      dst = DST_SS;
-      spec = new PINSpec(6, 10, "[0-9]", getResourceBundle().getString("sig.pin.name"));
-  
-    } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
-      aid = AID_DF_GS;
-      kid = KID_PIN_CARD;
-      dst = DST_GS;
-      spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
-  
-    } else {
-      throw new IllegalArgumentException("KeyboxName '" + keyboxName
-          + "' not supported.");
-    }
-  
     try {
-      Card card = getCardChannel().getCard();
-      try {
-        card.beginExclusive();
-
-        // SELECT MF
-        selectMF();
-        // SELECT DF
-        selectFileAID(aid);
-        // VERIFY
-        verifyPIN(provider, spec, kid);
-        // MSE: SET DST
-        mseSetDST(dst);
-        // PSO: HASH
-        psoHash(hash);
-        // PSO: COMPUTE DIGITAL SIGNATURE
-        return psoComputDigitalSiganture();
-
-
-      } catch (FileNotFoundException e) {
-        // if certificate is not present, 
-        // the citizen card application has not been activated
-        throw new NotActivatedException();
-      } finally {
-        card.endExclusive();
+      
+      if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
+
+        PINSpec spec = new PINSpec(6, 10, "[0-9]", getResourceBundle().getString("sig.pin.name"));
+        
+        int retries = -1;
+        String pin = null;
+
+        do {
+          try {
+            getCard().beginExclusive();
+            selectFileAID(AID_DF_SS);
+            retries = verifyPIN(null, KID_PIN_SS);
+          } finally {
+            getCard().endExclusive();
+          }
+          pin = provider.providePIN(spec, retries);
+          if (pin == null) {
+            throw new CancelledException();
+          }
+          try {
+            getCard().beginExclusive();
+            return createSignature(hash, AID_DF_SS, pin, KID_PIN_SS, DST_SS);
+          } catch (VerificationFailedException e) {
+            retries = e.getRetries();
+          } finally {
+            getCard().endExclusive();
+          }
+        } while (retries != 0);
+
+        throw new LockedException();
+
+ 
+      } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
+
+        PINSpec spec = new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
+ 
+        int retries = -1;
+        String pin = null;
+        boolean pinRequiered = false;
+
+        do {
+          if (pinRequiered) {
+            pin = provider.providePIN(spec, retries);
+            if (pin == null) {
+              throw new CancelledException();
+            }
+          }
+          try {
+            getCard().beginExclusive();
+            return createSignature(hash, AID_DF_GS, pin, KID_PIN_CARD, DST_GS);
+          } catch (FileNotFoundException e) {
+            throw new NotActivatedException();
+          } catch (SecurityStatusNotSatisfiedException e) {
+            pinRequiered = true;
+            retries = verifyPIN(null, KID_PIN_CARD);
+          } catch (VerificationFailedException e) {
+            pinRequiered = true;
+            retries = e.getRetries();
+          } finally {
+            getCard().endExclusive();
+          }
+        } while (retries != 0);
+
+        throw new LockedException();
+        
+      } else {
+        throw new IllegalArgumentException("KeyboxName '" + keyboxName
+            + "' not supported.");
       }
+
     } catch (CardException e) {
-      throw new SignatureCardException("Failed to get exclusive card access.");
+      log.warn(e);
+      throw new SignatureCardException("Failed to access card.", e);
     }
   
   }
 
-  protected byte[] selectFileAID(byte[] fid) throws CardException, SignatureCardException {
+  protected ResponseAPDU selectFileFID(byte[] fid) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x04,
+    return transmit(channel, new CommandAPDU(0x00, 0xA4, 0x02,
         0x04, fid, 256));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("Failed to select file (AID="
-          + toString(fid) + "): SW=" + Integer.toHexString(resp.getSW()) + ".");
-    } else {
-      return resp.getBytes();
+  }
+
+  private byte[] createSignature(byte[] hash, byte[] aid, String pin, byte kid,
+      byte[] dst) throws CardException, SignatureCardException {
+    
+    // SELECT MF
+    selectMF();
+    // SELECT DF
+    selectFileAID(aid);
+    // VERIFY
+    int retries = verifyPIN(pin, kid);
+    if (retries != -1) {
+      throw new VerificationFailedException(retries);
     }
+    // MSE: SET DST
+    mseSetDST(dst);
+    // PSO: HASH
+    psoHash(hash);
+    // PSO: COMPUTE DIGITAL SIGNATURE
+    return psoComputDigitalSiganture();
+
+    
   }
 
-  void selectMF() throws CardException, SignatureCardException {
+  
+  private void selectMF() throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x00,
         0x0C));
@@ -287,13 +414,7 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
     }
   }
 
-  protected ResponseAPDU selectFileFID(byte[] fid) throws CardException, SignatureCardException {
-    CardChannel channel = getCardChannel();
-    return transmit(channel, new CommandAPDU(0x00, 0xA4, 0x02,
-        0x04, fid, 256));
-  }
-
-  void mseSetDST(byte[] dst) throws CardException, SignatureCardException {
+  private void mseSetDST(byte[] dst) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x22, 0x41,
         0xB6, dst));
@@ -303,7 +424,7 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
     }
   }
 
-  void psoHash(byte[] hash) throws CardException, SignatureCardException {
+  private void psoHash(byte[] hash) throws CardException, SignatureCardException {
     byte[] data = new byte[hash.length + 2];
     data[0] = (byte) 0x90; // tag
     data[1] = (byte) (hash.length); // length
@@ -318,7 +439,7 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
     }
   }
 
-  byte[] psoComputDigitalSiganture() throws CardException,
+  private byte[] psoComputDigitalSiganture() throws CardException,
       SignatureCardException {
     CardChannel channel = getCardChannel();
     ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x2A, 0x9E,
@@ -353,7 +474,8 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
    * @throws SignatureCardException
    *           if VERIFY PIN fails
    */
-  private int verifyPIN(String pin, byte kid) throws CardException, SignatureCardException {
+  @Override
+  protected int verifyPIN(String pin, byte kid) throws CardException, SignatureCardException {
     
     CardChannel channel = getCardChannel();
 
@@ -385,6 +507,8 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
     } else if (resp.getSW1() == 0x63 && resp.getSW2() >> 4 == 0xc) {
       // return number of possible retries
       return resp.getSW2() & 0x0f;
+    } else if (resp.getSW() == 0x6983) {
+      throw new LockedException();
     } else if (resp.getSW() == 0x6984) {
       // PIN LCS = "Initialized" (-> not activated)
       throw new NotActivatedException("PIN not set.");
@@ -397,26 +521,8 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
     
   }
   
-  /* (non-Javadoc)
-   * @see at.gv.egiz.smcc.AbstractSignatureCard#verifyPIN(at.gv.egiz.smcc.PINProvider, at.gv.egiz.smcc.PINSpec, byte, int)
-   */
-  protected void verifyPIN(PINProvider pinProvider, PINSpec spec, byte kid)
-      throws CardException, SignatureCardException, InterruptedException {
-
-    int retries = verifyPIN(null, kid);
-    do {
-      String pin = pinProvider.providePIN(spec, retries);
-      if (pin == null) {
-        // user canceled operation
-        throw new CancelledException("User canceld operation.");
-      }
-      retries = verifyPIN(pin, kid);
-    } while (retries > 0);
-
-  }
-
   public String toString() {
-    return "eCard";
+    return "e-card";
   }
 
  
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SecurityStatusNotSatisfiedException.java b/smcc/src/main/java/at/gv/egiz/smcc/SecurityStatusNotSatisfiedException.java
new file mode 100644
index 00000000..bf0af76c
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SecurityStatusNotSatisfiedException.java
@@ -0,0 +1,38 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class SecurityStatusNotSatisfiedException extends SignatureCardException {
+
+  private static final long serialVersionUID = 1L;
+
+  public SecurityStatusNotSatisfiedException() {
+  }
+
+  public SecurityStatusNotSatisfiedException(String message, Throwable cause) {
+    super(message, cause);
+  }
+
+  public SecurityStatusNotSatisfiedException(String message) {
+    super(message);
+  }
+
+  public SecurityStatusNotSatisfiedException(Throwable cause) {
+    super(cause);
+  }
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/VerificationFailedException.java b/smcc/src/main/java/at/gv/egiz/smcc/VerificationFailedException.java
new file mode 100644
index 00000000..fa066ff9
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/VerificationFailedException.java
@@ -0,0 +1,65 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class VerificationFailedException extends SignatureCardException {
+
+  private static final long serialVersionUID = 1L;
+
+  public static final int UNKNOWN = -1;
+  
+  private int retries = UNKNOWN;
+  
+  public VerificationFailedException() {
+  }
+
+  public VerificationFailedException(String message, Throwable cause) {
+    super(message, cause);
+  }
+
+  public VerificationFailedException(String message) {
+    super(message);
+  }
+
+  public VerificationFailedException(Throwable cause) {
+    super(cause);
+  }
+
+  public VerificationFailedException(int retries) {
+    this.retries = retries;
+  }
+
+  public VerificationFailedException(int retries, String message, Throwable cause) {
+    super(message, cause);
+    this.retries = retries;
+  }
+
+  public VerificationFailedException(int retries, String message) {
+    super(message);
+    this.retries = retries;
+  }
+
+  public VerificationFailedException(int retries, Throwable cause) {
+    super(cause);
+    this.retries = retries;
+  }
+
+  public int getRetries() {
+    return retries;
+  }
+  
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
index 13210540..090e1181 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
@@ -19,6 +19,8 @@ package at.gv.egiz.smcc;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.io.PrintWriter;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Locale;
@@ -27,6 +29,8 @@ import javax.smartcardio.CardException;
 import javax.smartcardio.CommandAPDU;
 import javax.smartcardio.ResponseAPDU;
 
+import sun.misc.HexDumpEncoder;
+
 import at.gv.egiz.smcc.SignatureCard.KeyboxName;
 import at.gv.egiz.smcc.util.SMCCHelper;
 
@@ -34,10 +38,9 @@ public class STARCOSCardTest {
 
   /**
    * @param args
-   * @throws CardException 
-   * @throws NoSuchAlgorithmException 
+   * @throws Exception 
    */
-  public static void main(String[] args) throws CardException, NoSuchAlgorithmException, InterruptedException {
+  public static void main(String[] args) throws Exception {
     
     SMCCHelper helper = new SMCCHelper();
     while (helper.getResultCode() != SMCCHelper.CARD_FOUND) {
@@ -55,18 +58,41 @@ public class STARCOSCardTest {
     System.out.println("Found '" + signatureCard + "'.");
     
     try {
-//      signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
-//      signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
-//      signatureCard.getInfobox("IdentityLink", new CommandLinePINProvider(), null);
+//      printJavaByteArray(
+//          signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR), System.out);
+//      printJavaByteArray(
+//          signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR), System.out);
+//      System.out. println(new String(signatureCard.getInfobox("IdentityLink", new CommandLinePINProvider(), null)));
+//        byte[] infobox = signatureCard.getInfobox("Status", new CommandLinePINProvider(), null);
+//        printJavaByteArray(infobox, System.out);
       MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
       byte[] digest = messageDigest.digest("test".getBytes());
-      signatureCard.createSignature(digest, KeyboxName.CERITIFIED_KEYPAIR, new CommandLinePINProvider());
+      byte[] signature = signatureCard.createSignature(digest, KeyboxName.SECURE_SIGNATURE_KEYPAIR, new CommandLinePINProvider());
+      printJavaByteArray(signature, System.out);
     } catch (SignatureCardException e) {
       e.printStackTrace();
     }
 
   }
   
+  public static void printJavaByteArray(byte[] bytes, OutputStream os) {
+    
+    PrintWriter w = new PrintWriter(os);
+    
+    w.write("new byte[] {");
+    for (int i = 0; i < bytes.length;) {
+      if (i % 8 == 0) { 
+        w.write("\n  ");
+      }
+      w.write("(byte) 0x" + Integer.toHexString(0x0F & (bytes[i] >> 4)) + Integer.toHexString(0x0F & bytes[i]));
+      if (++i < bytes.length) {
+        w.write(", ");
+      }
+    }
+    w.write("\n};");
+    w.flush();
+  }
+  
   private static class CommandLinePINProvider implements PINProvider {
 
     @Override
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
index 04f179e7..5a54e97f 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
@@ -103,6 +103,9 @@ public class InfoBoxReadRequestHandler extends AbstractRequestHandler implements
           stalResp.setInfoboxValue(resp);
           return stalResp;
         }
+      } catch (IllegalArgumentException e) {
+        log.info("Infobox " + infoBox.getInfoboxIdentifier() + " not supported.");
+        return new ErrorResponse(4002);
       } catch (NotActivatedException e) {
         log.info("Citizen card not activated.", e);
         gui.showErrorDialog(BKUGUIFacade.ERR_CARD_NOTACTIVATED, null, this, null);
-- 
cgit v1.2.3


From d1cb86eef5158caea65975d9cc62c8b616ea6a73 Mon Sep 17 00:00:00 2001
From: wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Wed, 17 Dec 2008 14:24:38 +0000
Subject: Added @Ignore

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@251 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java | 11 +++++++----
 smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java |  3 +++
 smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java      |  3 +++
 3 files changed, 13 insertions(+), 4 deletions(-)

(limited to 'smcc/src/test/java')

diff --git a/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java b/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
index 5f4bb67e..4835865f 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
@@ -16,10 +16,13 @@
 */
 package at.gv.egiz.smcc;
 
-import java.util.Locale;
-
-import at.gv.egiz.smcc.util.SMCCHelper;
-
+import java.util.Locale;
+
+import org.junit.Ignore;
+
+import at.gv.egiz.smcc.util.SMCCHelper;
+
+@Ignore
 public class SMCCApplication {
 
   /**
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
index 090e1181..7f421474 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
@@ -29,11 +29,14 @@ import javax.smartcardio.CardException;
 import javax.smartcardio.CommandAPDU;
 import javax.smartcardio.ResponseAPDU;
 
+import org.junit.Ignore;
+
 import sun.misc.HexDumpEncoder;
 
 import at.gv.egiz.smcc.SignatureCard.KeyboxName;
 import at.gv.egiz.smcc.util.SMCCHelper;
 
+@Ignore
 public class STARCOSCardTest {
 
   /**
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
index 38126a67..115edc16 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
@@ -20,8 +20,11 @@ import java.math.BigInteger;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 
+import org.junit.Ignore;
+
 import at.gv.egiz.smcc.SignatureCard.KeyboxName;
 
+@Ignore
 public class SWCardTest implements PINProvider {
 
   SWCard swCard = new SWCard();
-- 
cgit v1.2.3


From 77a19e106e4128c21dd2d1270fdc8d930e415247 Mon Sep 17 00:00:00 2001
From: wbauer <wbauer@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Thu, 18 Dec 2008 08:58:39 +0000
Subject: Fixed BUG #366, changed applet name in BKUOnline to have no version
 number

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@253 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../gv/egiz/bku/online/applet/AppletBKUWorker.java |  59 ++++--
 .../online/applet/InternalSSLSocketFactory.java    | 235 +++++++++++----------
 .../conf/certs/CACerts/A-CERT GLOBALTRUST.cer      | Bin 0 -> 1561 bytes
 .../local/conf/certs/certStore/A-CERT ADVANCED.cer | Bin 0 -> 1751 bytes
 .../conf/certs/certStore/A-CERT GLOBALTRUST.cer    | Bin 0 -> 1561 bytes
 .../conf/certs/certStore/A-Trust-Qual-01a.cer      | Bin 0 -> 1111 bytes
 .../conf/certs/certStore/A-Trust-Qual-02a.cer      | Bin 0 -> 975 bytes
 .../conf/certs/certStore/A-Trust-Qual-03a.cer      | Bin 0 -> 975 bytes
 .../conf/certs/certStore/A-Trust-nQual-01a.cer     | Bin 0 -> 865 bytes
 .../conf/certs/certStore/A-Trust-nQual-03.cer      | Bin 0 -> 979 bytes
 BKUOnline/pom.xml                                  |   1 +
 .../egiz/bku/online/webapp/BKURequestHandler.java  |  60 ++++--
 .../webapp/applet/BKUApplet-1.0.2-SNAPSHOT.jar     | Bin 182140 -> 0 bytes
 BKUOnline/src/main/webapp/appletPage.jsp           |   2 +-
 .../accesscontroller/AuthenticationClassifier.java |   3 +-
 .../test/java/at/gv/egiz/smcc/SMCCApplication.java |  49 -----
 .../test/java/at/gv/egiz/smcc/STARCOSCardTest.java | 121 -----------
 smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java |  66 ------
 18 files changed, 197 insertions(+), 399 deletions(-)
 create mode 100644 BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-CERT GLOBALTRUST.cer
 create mode 100644 BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-CERT ADVANCED.cer
 create mode 100644 BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-CERT GLOBALTRUST.cer
 create mode 100644 BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-01a.cer
 create mode 100644 BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-02a.cer
 create mode 100644 BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-03a.cer
 create mode 100644 BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-nQual-01a.cer
 create mode 100644 BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-nQual-03.cer
 delete mode 100644 BKUOnline/src/main/webapp/applet/BKUApplet-1.0.2-SNAPSHOT.jar
 delete mode 100644 smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
 delete mode 100644 smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
 delete mode 100644 smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java

(limited to 'smcc/src/test/java')

diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletBKUWorker.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletBKUWorker.java
index 03e4b7c9..9fc21df8 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletBKUWorker.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletBKUWorker.java
@@ -38,7 +38,7 @@ import java.util.List;
 import javax.xml.namespace.QName;
 
 /**
- *
+ * 
  * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
  */
 public class AppletBKUWorker extends AbstractBKUWorker implements Runnable {
@@ -48,7 +48,8 @@ public class AppletBKUWorker extends AbstractBKUWorker implements Runnable {
   protected String sessionId;
   protected STALPortType stalPort;
 
-  public AppletBKUWorker(BKUGUIFacade gui, AppletContext ctx, AppletParameterProvider paramProvider) {
+  public AppletBKUWorker(BKUGUIFacade gui, AppletContext ctx,
+      AppletParameterProvider paramProvider) {
     super(gui);
     if (ctx == null) {
       throw new NullPointerException("Applet context not provided");
@@ -76,7 +77,7 @@ public class AppletBKUWorker extends AbstractBKUWorker implements Runnable {
       actionCommandList.clear();
       actionCommandList.add("ok");
       gui.showErrorDialog(BKUGUIFacade.ERR_SERVICE_UNREACHABLE,
-              new Object[]{e.getMessage()});
+          new Object[] { e.getMessage() });
       try {
         waitForAction();
       } catch (InterruptedException e1) {
@@ -92,8 +93,10 @@ public class AppletBKUWorker extends AbstractBKUWorker implements Runnable {
 
       GetNextRequestResponseType nextRequestResp = stalPort.connect(sessionId);
       do {
-        List<RequestType> requests = nextRequestResp.getInfoboxReadRequestOrSignRequestOrQuitRequest();
-        List<STALRequest> stalRequests = STALTranslator.translateRequests(requests);
+        List<RequestType> requests = nextRequestResp
+            .getInfoboxReadRequestOrSignRequestOrQuitRequest();
+        List<STALRequest> stalRequests = STALTranslator
+            .translateRequests(requests);
 
         if (log.isInfoEnabled()) {
           StringBuilder sb = new StringBuilder("Received ");
@@ -142,64 +145,76 @@ public class AppletBKUWorker extends AbstractBKUWorker implements Runnable {
         }
 
         if (!finished) {
-          log.info("Not finished yet (BKUWorker: " + this + "), sending responses");
+          log.info("Not finished yet (BKUWorker: " + this
+              + "), sending responses");
           GetNextRequestType nextRequest = of.createGetNextRequestType();
           nextRequest.setSessionId(sessionId);
-          nextRequest.getInfoboxReadResponseOrSignResponseOrErrorResponse().addAll(responses);
+          nextRequest.getInfoboxReadResponseOrSignResponseOrErrorResponse()
+              .addAll(responses);
           nextRequestResp = stalPort.getNextRequest(nextRequest);
         }
       } while (!finished);
       log.info("Done " + Thread.currentThread().getName());
     } catch (Exception ex) {
       log.error(ex.getMessage(), ex);
-      gui.showErrorDialog(BKUGUIFacade.ERR_UNKNOWN, new Object[]{ex.getMessage()});
+      gui.showErrorDialog(BKUGUIFacade.ERR_UNKNOWN, new Object[] { ex
+          .getMessage() });
       try {
         waitForAction();
       } catch (InterruptedException e) {
         log.error(e);
       }
-    }
-    if (signatureCard != null) {
-      signatureCard.disconnect(false);
+      if (signatureCard != null) {
+        signatureCard.disconnect(false);
+      }
     }
     sendRedirect();
   }
 
   protected void sendRedirect() {
     try {
-      URL redirectURL = params.getURLParameter(BKUApplet.REDIRECT_URL, sessionId);
-      String redirectTarget = params.getAppletParameter(BKUApplet.REDIRECT_TARGET);
+      URL redirectURL = params.getURLParameter(BKUApplet.REDIRECT_URL,
+          sessionId);
+      String redirectTarget = params
+          .getAppletParameter(BKUApplet.REDIRECT_TARGET);
       if (redirectTarget == null) {
         log.info("Done. Redirecting to " + redirectURL + " ...");
         ctx.showDocument(redirectURL);
       } else {
-        log.info("Done. Redirecting to " + redirectURL + " (target=" + redirectTarget + ") ...");
+        log.info("Done. Redirecting to " + redirectURL + " (target="
+            + redirectTarget + ") ...");
         ctx.showDocument(redirectURL, redirectTarget);
       }
     } catch (MalformedURLException ex) {
       log.warn("Failed to redirect: " + ex.getMessage(), ex);
-    // gui.showErrorDialog(errorMsg, okListener, actionCommand)
+      // gui.showErrorDialog(errorMsg, okListener, actionCommand)
     }
   }
 
   private STALPortType getSTALPort() throws MalformedURLException {
     URL wsdlURL = params.getURLParameter(BKUApplet.WSDL_URL);
     log.debug("STAL WSDL at " + wsdlURL);
-    QName endpointName = new QName(BKUApplet.STAL_WSDL_NS, BKUApplet.STAL_SERVICE);
+    QName endpointName = new QName(BKUApplet.STAL_WSDL_NS,
+        BKUApplet.STAL_SERVICE);
     STALService stal = new STALService(wsdlURL, endpointName);
     return stal.getSTALPort();
   }
 
   private void registerSignRequestHandler() throws MalformedURLException {
-    String hashDataDisplayStyle = params.getAppletParameter(BKUApplet.HASHDATA_DISPLAY);
+    String hashDataDisplayStyle = params
+        .getAppletParameter(BKUApplet.HASHDATA_DISPLAY);
     if (BKUApplet.HASHDATA_DISPLAY_BROWSER.equals(hashDataDisplayStyle)) {
-      URL hashDataURL = params.getURLParameter(BKUApplet.HASHDATA_URL, sessionId);
+      URL hashDataURL = params.getURLParameter(BKUApplet.HASHDATA_URL,
+          sessionId);
       log.debug("register SignRequestHandler for HashDataURL " + hashDataURL);
-      addRequestHandler(SignRequest.class, new BrowserHashDataDisplay(ctx, hashDataURL));
+      addRequestHandler(SignRequest.class, new BrowserHashDataDisplay(ctx,
+          hashDataURL));
     } else {
-      //BKUApplet.HASHDATA_DISPLAY_FRAME
-      log.debug("register SignRequestHandler for STAL port " + BKUApplet.WSDL_URL);
-      AppletHashDataDisplay handler = new AppletHashDataDisplay(stalPort, sessionId);
+      // BKUApplet.HASHDATA_DISPLAY_FRAME
+      log.debug("register SignRequestHandler for STAL port "
+          + BKUApplet.WSDL_URL);
+      AppletHashDataDisplay handler = new AppletHashDataDisplay(stalPort,
+          sessionId);
       addRequestHandler(SignRequest.class, handler);
     }
   }
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
index c3417d63..a02e56eb 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/InternalSSLSocketFactory.java
@@ -36,121 +36,122 @@ import org.apache.commons.logging.LogFactory;
 
 public class InternalSSLSocketFactory extends SSLSocketFactory {
 
-	private final static String GOV_DOMAIN = ".gv.at";
-
-	private static InternalSSLSocketFactory instance = new InternalSSLSocketFactory();
-
-	private final static Log log = LogFactory
-			.getLog(InternalSSLSocketFactory.class);
-
-	private SSLSocket sslSocket;
-
-	private SSLSocketFactory proxy;
-
-	private InternalSSLSocketFactory() {
-		proxy = HttpsURLConnection.getDefaultSSLSocketFactory();
-	}
-
-	public static InternalSSLSocketFactory getInstance() {
-		return instance;
-	}
-
-	@Override
-	public Socket createSocket() throws IOException {
-		sslSocket = (SSLSocket) proxy.createSocket();
-		return sslSocket;
-	}
-
-	@Override
-	public Socket createSocket(String arg0, int arg1) throws IOException,
-			UnknownHostException {
-		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1);
-
-		return sslSocket;
-	}
-
-	@Override
-	public Socket createSocket(InetAddress arg0, int arg1) throws IOException {
-		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1);
-		return sslSocket;
-	}
-
-	@Override
-	public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
-			throws IOException, UnknownHostException {
-		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
-		return sslSocket;
-	}
-
-	@Override
-	public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
-			int arg3) throws IOException {
-		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
-		return sslSocket;
-	}
-
-	@Override
-	public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3)
-			throws IOException {
-		sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
-		return sslSocket;
-	}
-
-	@Override
-	public String[] getDefaultCipherSuites() {
-		return proxy.getDefaultCipherSuites();
-	}
-
-	@Override
-	public String[] getSupportedCipherSuites() {
-		return proxy.getSupportedCipherSuites();
-	}
-
-	public boolean isEgovAgency() {
-		log.info("Checking if server is egov agency");
-		if (sslSocket != null) {
-			try {
-				X509Certificate cert = (X509Certificate) sslSocket.getSession()
-						.getPeerCertificates()[0];
-				log.info("Server cert: " + cert);
-				return isGovAgency(cert);
-			} catch (SSLPeerUnverifiedException e) {
-				log.error(e);
-				return false;
-			}
-		}
-		log.info("Not a SSL connection");
-		return false;
-	}
-
-	public static boolean isGovAgency(X509Certificate cert) {
-		String[] rdns = (cert.getSubjectX500Principal().getName()).split(",");
-		for (String rdn : rdns) {
-			if (rdn.startsWith("CN=")) {
-				String dns = rdn.split("=")[1];
-				if (dns.endsWith(GOV_DOMAIN)) {
-					return true;
-				}
-			}
-		}
-		try {
-			Collection<List<?>> sanList = cert.getSubjectAlternativeNames();
-			if (sanList != null) {
-				for (List<?> san : sanList) {
-					if ((Integer) san.get(0) == 2) {
-						String dns = (String) san.get(1);
-						if (dns.endsWith(GOV_DOMAIN)) {
-							return true;
-						}
-					}
-				}
-			}
-		} catch (CertificateParsingException e) {
-			log.error(e);
-		}
-		if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
-			return true;
-		}
-		return false;
-	}
+  private final static String GOV_DOMAIN = ".gv.at";
+
+  private static InternalSSLSocketFactory instance = new InternalSSLSocketFactory();
+
+  private final static Log log = LogFactory
+      .getLog(InternalSSLSocketFactory.class);
+
+  private SSLSocket sslSocket;
+
+  private SSLSocketFactory proxy;
+
+  private InternalSSLSocketFactory() {
+    proxy = HttpsURLConnection.getDefaultSSLSocketFactory();
+  }
+
+  public static InternalSSLSocketFactory getInstance() {
+    return instance;
+  }
+
+  @Override
+  public Socket createSocket() throws IOException {
+    sslSocket = (SSLSocket) proxy.createSocket();
+    return sslSocket;
+  }
+
+  @Override
+  public Socket createSocket(String arg0, int arg1) throws IOException,
+      UnknownHostException {
+    sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1);
+
+    return sslSocket;
+  }
+
+  @Override
+  public Socket createSocket(InetAddress arg0, int arg1) throws IOException {
+    sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1);
+    return sslSocket;
+  }
+
+  @Override
+  public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
+      throws IOException, UnknownHostException {
+    sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+    return sslSocket;
+  }
+
+  @Override
+  public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
+      int arg3) throws IOException {
+    sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+    return sslSocket;
+  }
+
+  @Override
+  public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3)
+      throws IOException {
+    sslSocket = (SSLSocket) proxy.createSocket(arg0, arg1, arg2, arg3);
+    return sslSocket;
+  }
+
+  @Override
+  public String[] getDefaultCipherSuites() {
+    return proxy.getDefaultCipherSuites();
+  }
+
+  @Override
+  public String[] getSupportedCipherSuites() {
+    return proxy.getSupportedCipherSuites();
+  }
+
+  public boolean isEgovAgency() {
+    log.info("Checking if server is egov agency");
+    if (sslSocket != null) {
+      try {
+        X509Certificate cert = (X509Certificate) sslSocket.getSession()
+            .getPeerCertificates()[0];
+        log.info("Server cert: " + cert);
+        return isGovAgency(cert);
+      } catch (SSLPeerUnverifiedException e) {
+        log.error(e);
+        return false;
+      }
+    }
+    log.info("Not a SSL connection");
+    return false;
+  }
+
+  public static boolean isGovAgency(X509Certificate cert) {
+    String[] rdns = (cert.getSubjectX500Principal().getName()).split(",");
+    for (String rdn : rdns) {
+      if (rdn.startsWith("CN=")) {
+        String dns = rdn.split("=")[1];
+        if (dns.endsWith(GOV_DOMAIN)) {
+          return true;
+        }
+      }
+    }
+    try {
+      Collection<List<?>> sanList = cert.getSubjectAlternativeNames();
+      if (sanList != null) {
+        for (List<?> san : sanList) {
+          if ((Integer) san.get(0) == 2) {
+            String dns = (String) san.get(1);
+            if (dns.endsWith(GOV_DOMAIN)) {
+              return true;
+            }
+          }
+        }
+      }
+    } catch (CertificateParsingException e) {
+      log.error(e);
+    }
+    if ((cert.getExtensionValue("1.2.40.0.10.1.1.1") != null)
+        || (cert.getExtensionValue("1.2.40.0.10.1.1.2") != null)) {
+      return true;
+    }
+    return false;
+  }
 }
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-CERT GLOBALTRUST.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-CERT GLOBALTRUST.cer
new file mode 100644
index 00000000..9a25e57d
Binary files /dev/null and b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/CACerts/A-CERT GLOBALTRUST.cer differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-CERT ADVANCED.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-CERT ADVANCED.cer
new file mode 100644
index 00000000..66ff251b
Binary files /dev/null and b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-CERT ADVANCED.cer differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-CERT GLOBALTRUST.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-CERT GLOBALTRUST.cer
new file mode 100644
index 00000000..9a25e57d
Binary files /dev/null and b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-CERT GLOBALTRUST.cer differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-01a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-01a.cer
new file mode 100644
index 00000000..f9fef65f
Binary files /dev/null and b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-01a.cer differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-02a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-02a.cer
new file mode 100644
index 00000000..36a442b8
Binary files /dev/null and b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-02a.cer differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-03a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-03a.cer
new file mode 100644
index 00000000..ab9e0cd7
Binary files /dev/null and b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-Qual-03a.cer differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-nQual-01a.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-nQual-01a.cer
new file mode 100644
index 00000000..efa28178
Binary files /dev/null and b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-nQual-01a.cer differ
diff --git a/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-nQual-03.cer b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-nQual-03.cer
new file mode 100644
index 00000000..33e77636
Binary files /dev/null and b/BKULocal/src/main/resources/at/gv/egiz/bku/local/conf/certs/certStore/A-Trust-nQual-03.cer differ
diff --git a/BKUOnline/pom.xml b/BKUOnline/pom.xml
index 1ea2c1a1..5e6ac8ad 100644
--- a/BKUOnline/pom.xml
+++ b/BKUOnline/pom.xml
@@ -121,6 +121,7 @@
 							</artifactItems>-->
 							<includeGroupIds>at.gv.egiz</includeGroupIds>
 							<includeArtifactIds>BKUApplet</includeArtifactIds>
+							<stripVersion>true</stripVersion>
               <excludeTransitive>true</excludeTransitive>
 						</configuration>
 					</execution>
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
index 3aa6bc19..12166a5a 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
@@ -24,6 +24,7 @@ import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 
+import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -32,12 +33,12 @@ import javax.servlet.http.HttpSession;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import at.gv.egiz.bku.binding.BindingProcessor;
 import at.gv.egiz.bku.binding.HTTPBindingProcessor;
 import at.gv.egiz.bku.binding.HttpUtil;
 import at.gv.egiz.bku.binding.IdFactory;
 import at.gv.egiz.bku.utils.StreamUtil;
 import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage;
-import javax.servlet.RequestDispatcher;
 
 /**
  * Handles SL requests and instantiates BindingProcessors
@@ -52,7 +53,8 @@ public class BKURequestHandler extends SpringBKUServlet {
 
   protected Log log = LogFactory.getLog(BKURequestHandler.class);
 
-  private static String getStringFromStream(InputStream is, String encoding) throws IOException {
+  private static String getStringFromStream(InputStream is, String encoding)
+      throws IOException {
     if (is == null) {
       return null;
     }
@@ -63,8 +65,7 @@ public class BKURequestHandler extends SpringBKUServlet {
     StreamUtil.copyStream(is, os);
     return new String(os.toByteArray(), encoding);
   }
-  
-  
+
   protected void doPost(HttpServletRequest req, HttpServletResponse resp)
       throws ServletException, java.io.IOException {
     log.debug("Got new request");
@@ -75,21 +76,28 @@ public class BKURequestHandler extends SpringBKUServlet {
     HttpSession session = req.getSession(false);
     if (session != null) {
       log.warn("Already a session with id: " + session.getId()
-          + " active, continuing");
-      RequestDispatcher dispatcher = getServletContext().getNamedDispatcher(BKU_APPLET_JSP);
-      log.debug("forward to applet");
-      dispatcher.forward(req, resp);
-      return;
+          + " active, trying to get Bindingprocessor");
+      BindingProcessor bp = getBindingProcessorManager().getBindingProcessor(
+          IdFactory.getInstance().createId(session.getId()));
+      if (bp != null) {
+        log.debug("Found binding processor, using this one");
+        RequestDispatcher dispatcher = getServletContext().getNamedDispatcher(
+            BKU_APPLET_JSP);
+        log.debug("forward to applet");
+        dispatcher.forward(req, resp);
+        return;
+      }
+      log.debug("Did not find a binding processor, creating new ...");
     }
     session = req.getSession(true);
     if (log.isDebugEnabled()) {
       log.debug("Using session id: " + session.getId());
     }
-    
-    HTTPBindingProcessor bindingProcessor;
 
+    HTTPBindingProcessor bindingProcessor;
     bindingProcessor = (HTTPBindingProcessor) getBindingProcessorManager()
-        .createBindingProcessor(req.getRequestURL().toString(), session.getId(), locale);
+        .createBindingProcessor(req.getRequestURL().toString(),
+            session.getId(), locale);
 
     Map<String, String> headerMap = new HashMap<String, String>();
     for (Enumeration<String> headerName = req.getHeaderNames(); headerName
@@ -109,14 +117,20 @@ public class BKURequestHandler extends SpringBKUServlet {
     bindingProcessor.consumeRequestStream(req.getInputStream());
     req.getInputStream().close();
     getBindingProcessorManager().process(bindingProcessor);
-    
+
     log.trace("Trying to find applet parameters in request");
-    String width = getStringFromStream(bindingProcessor.getFormData("appletWidth"), charset);
-    String height = getStringFromStream(bindingProcessor.getFormData("appletHeight"), charset);
-    String background = getStringFromStream(bindingProcessor.getFormData("appletBackground"), charset);
-    String guiStyle = getStringFromStream(bindingProcessor.getFormData("appletGuiStyle"), charset);
-    String hashDataDisplay = getStringFromStream(bindingProcessor.getFormData("appletHashDataDisplay"), charset);
-    String localeFormParam = getStringFromStream(bindingProcessor.getFormData("locale"), charset);
+    String width = getStringFromStream(bindingProcessor
+        .getFormData("appletWidth"), charset);
+    String height = getStringFromStream(bindingProcessor
+        .getFormData("appletHeight"), charset);
+    String background = getStringFromStream(bindingProcessor
+        .getFormData("appletBackground"), charset);
+    String guiStyle = getStringFromStream(bindingProcessor
+        .getFormData("appletGuiStyle"), charset);
+    String hashDataDisplay = getStringFromStream(bindingProcessor
+        .getFormData("appletHashDataDisplay"), charset);
+    String localeFormParam = getStringFromStream(bindingProcessor
+        .getFormData("locale"), charset);
     if (width != null) {
       try {
         log.trace("Found applet width parameter: " + width);
@@ -148,7 +162,8 @@ public class BKURequestHandler extends SpringBKUServlet {
       session.setAttribute("appletHashDataDisplay", hashDataDisplay);
     }
     if (localeFormParam != null) {
-      log.debug("overrule accept-language locale " + locale + " with form param " + localeFormParam);
+      log.debug("overrule accept-language locale " + locale
+          + " with form param " + localeFormParam);
       locale = new Locale(localeFormParam);
     }
     if (locale != null) {
@@ -156,8 +171,9 @@ public class BKURequestHandler extends SpringBKUServlet {
       session.setAttribute("locale", locale.toString());
     }
 
-    //TODO error if no dispatcher found
-    RequestDispatcher dispatcher = getServletContext().getNamedDispatcher(BKU_APPLET_JSP);
+    // TODO error if no dispatcher found
+    RequestDispatcher dispatcher = getServletContext().getNamedDispatcher(
+        BKU_APPLET_JSP);
     log.debug("forward to applet");
     dispatcher.forward(req, resp);
   }
diff --git a/BKUOnline/src/main/webapp/applet/BKUApplet-1.0.2-SNAPSHOT.jar b/BKUOnline/src/main/webapp/applet/BKUApplet-1.0.2-SNAPSHOT.jar
deleted file mode 100644
index 74f00509..00000000
Binary files a/BKUOnline/src/main/webapp/applet/BKUApplet-1.0.2-SNAPSHOT.jar and /dev/null differ
diff --git a/BKUOnline/src/main/webapp/appletPage.jsp b/BKUOnline/src/main/webapp/appletPage.jsp
index ee5f429c..b73ed2f4 100644
--- a/BKUOnline/src/main/webapp/appletPage.jsp
+++ b/BKUOnline/src/main/webapp/appletPage.jsp
@@ -47,7 +47,7 @@
                 var attributes = {
                     codebase :'applet',
                     code :'at.gv.egiz.bku.online.applet.BKUApplet.class',
-                    archive :'BKUApplet-1.0.2-SNAPSHOT.jar, commons-logging-1.1.1.jar, iaik_jce_me4se-3.04.jar',
+                    archive :'BKUApplet.jar, commons-logging-1.1.1.jar, iaik_jce_me4se-3.04.jar',
                     width : <%=width%>,
                     height :<%=height%>
                 };
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
index ed4b9bda..61d3d7a5 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
@@ -65,7 +65,8 @@ public class AuthenticationClassifier {
 		} catch (CertificateParsingException e) {
 			log.error(e);
 		}
-		if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
+		if ((cert.getExtensionValue("1.2.40.0.10.1.1.1") != null)
+        || (cert.getExtensionValue("1.2.40.0.10.1.1.2") != null)) {
 			return true;
 		}
 		return false;
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java b/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
deleted file mode 100644
index 4835865f..00000000
--- a/smcc/src/test/java/at/gv/egiz/smcc/SMCCApplication.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.smcc;
-
-import java.util.Locale;
-
-import org.junit.Ignore;
-
-import at.gv.egiz.smcc.util.SMCCHelper;
-
-@Ignore
-public class SMCCApplication {
-
-  /**
-   * @param args
-   */
-  public static void main(String[] args) {
-    
-    SignatureCard sc = null;
-    SMCCHelper smccHelper = new SMCCHelper();
-    while (smccHelper.getResultCode() != SMCCHelper.CARD_FOUND) {
-      System.out.println("Did not get a signature card ... "+smccHelper.getResultCode());
-      smccHelper.update();
-      try {
-        Thread.sleep(1000);
-      } catch (InterruptedException e) {
-        // TODO Auto-generated catch block
-        e.printStackTrace();
-      }
-    }
-    sc = smccHelper.getSignatureCard(Locale.getDefault());
-    System.out.println("Found supported siganture card: "+sc);
-  }
-
-}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
deleted file mode 100644
index 7f421474..00000000
--- a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.smcc;
-
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
-import java.io.PrintWriter;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.Locale;
-
-import javax.smartcardio.CardException;
-import javax.smartcardio.CommandAPDU;
-import javax.smartcardio.ResponseAPDU;
-
-import org.junit.Ignore;
-
-import sun.misc.HexDumpEncoder;
-
-import at.gv.egiz.smcc.SignatureCard.KeyboxName;
-import at.gv.egiz.smcc.util.SMCCHelper;
-
-@Ignore
-public class STARCOSCardTest {
-
-  /**
-   * @param args
-   * @throws Exception 
-   */
-  public static void main(String[] args) throws Exception {
-    
-    SMCCHelper helper = new SMCCHelper();
-    while (helper.getResultCode() != SMCCHelper.CARD_FOUND) {
-      System.out.println("Did not get a signature card ... " + helper.getResultCode());
-      helper.update();
-      try {
-        Thread.sleep(1000);
-      } catch (InterruptedException e) {
-        e.printStackTrace();
-      }
-    }
-    
-    SignatureCard signatureCard = helper.getSignatureCard(Locale.getDefault());
-    
-    System.out.println("Found '" + signatureCard + "'.");
-    
-    try {
-//      printJavaByteArray(
-//          signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR), System.out);
-//      printJavaByteArray(
-//          signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR), System.out);
-//      System.out. println(new String(signatureCard.getInfobox("IdentityLink", new CommandLinePINProvider(), null)));
-//        byte[] infobox = signatureCard.getInfobox("Status", new CommandLinePINProvider(), null);
-//        printJavaByteArray(infobox, System.out);
-      MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
-      byte[] digest = messageDigest.digest("test".getBytes());
-      byte[] signature = signatureCard.createSignature(digest, KeyboxName.SECURE_SIGNATURE_KEYPAIR, new CommandLinePINProvider());
-      printJavaByteArray(signature, System.out);
-    } catch (SignatureCardException e) {
-      e.printStackTrace();
-    }
-
-  }
-  
-  public static void printJavaByteArray(byte[] bytes, OutputStream os) {
-    
-    PrintWriter w = new PrintWriter(os);
-    
-    w.write("new byte[] {");
-    for (int i = 0; i < bytes.length;) {
-      if (i % 8 == 0) { 
-        w.write("\n  ");
-      }
-      w.write("(byte) 0x" + Integer.toHexString(0x0F & (bytes[i] >> 4)) + Integer.toHexString(0x0F & bytes[i]));
-      if (++i < bytes.length) {
-        w.write(", ");
-      }
-    }
-    w.write("\n};");
-    w.flush();
-  }
-  
-  private static class CommandLinePINProvider implements PINProvider {
-
-    @Override
-    public String providePIN(PINSpec spec, int retries) {
-      
-      InputStreamReader inputStreamReader = new InputStreamReader(System.in);
-      BufferedReader in = new BufferedReader(inputStreamReader);
-      
-      System.out.print("Enter " + spec.getLocalizedName() + " ["
-          + spec.getMinLength() + "-" + spec.getMaxLength() + "] (" + retries
-          + " retries):");
-      
-      try {
-        return in.readLine();
-      } catch (IOException e) {
-        return null;
-      }
-      
-    }
-    
-  }
-
-}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
deleted file mode 100644
index 115edc16..00000000
--- a/smcc/src/test/java/at/gv/egiz/smcc/SWCardTest.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.smcc;
-
-import java.math.BigInteger;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-
-import org.junit.Ignore;
-
-import at.gv.egiz.smcc.SignatureCard.KeyboxName;
-
-@Ignore
-public class SWCardTest implements PINProvider {
-
-  SWCard swCard = new SWCard();
-  
-  public static void main(String[] args) throws Exception {
-    
-    SWCardTest swCardTest = new SWCardTest();
-    swCardTest.test();
-    
-  }
-  
-  public void test() throws SignatureCardException, NoSuchAlgorithmException, InterruptedException {
-    
-    swCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
-    swCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
-    
-    BigInteger t = BigInteger.valueOf(System.currentTimeMillis());
-
-    MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
-    byte[] hash = messageDigest.digest(t.toByteArray());
-    
-    byte[] signature; 
-    signature = swCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR, this);
-    System.out.println(SignatureCardFactory.toString(signature));
-
-    signature = swCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR, this);
-    System.out.println(SignatureCardFactory.toString(signature));
-    
-    byte[] infobox = swCard.getInfobox("IdentityLink", this, null);
-    System.out.println(SignatureCardFactory.toString(infobox));
-
-  }
-
-  @Override
-  public String providePIN(PINSpec spec, int retries) {
-    return "buerger";
-  }
-  
-}
-- 
cgit v1.2.3


From 616e06910051528674165319a1d6d161dff5859c Mon Sep 17 00:00:00 2001
From: clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Fri, 27 Mar 2009 17:33:11 +0000
Subject: 1.1-RC6 (pinpad, pinmgmt, secureviewer)

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@323 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../gv/egiz/bku/online/applet/AppletBKUWorker.java |   5 +-
 .../egiz/bku/online/applet/AppletSecureViewer.java |  79 +--
 .../at/gv/egiz/bku/online/applet/BKUApplet.java    |  10 +-
 .../java/at/gv/egiz/bku/gui/PINManagementGUI.java  |  26 +-
 .../at/gv/egiz/bku/gui/PINManagementGUIFacade.java |   9 +-
 .../java/at/gv/egiz/bku/gui/PINStatusRenderer.java |   2 -
 .../smccstal/ext/ManagementPINProviderFactory.java |  13 +-
 .../bku/smccstal/ext/PinpadPINProviderFactory.java |  45 +-
 .../gv/egiz/bku/gui/ActivationMessages.properties  |   6 +-
 .../egiz/bku/gui/ActivationMessages_en.properties  |   6 +-
 .../main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java |  40 +-
 .../main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java   | 603 +++++++++++++--------
 .../java/at/gv/egiz/bku/gui/HashDataViewer.java    | 293 ----------
 .../at/gv/egiz/bku/gui/SecureViewerDialog.java     | 371 +++++++++++++
 .../at/gv/egiz/bku/gui/Messages.properties         |   3 +-
 .../at/gv/egiz/bku/gui/Messages_en.properties      |   1 +
 .../src/main/resources/images/ChipperlingLogo.png  | Bin 0 -> 4035 bytes
 .../test/java/at/gv/egiz/bku/gui/BKUGUITest.java   |   5 +-
 .../test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java |   4 +-
 .../at/gv/egiz/bku/local/stal/BKUGuiProxy.java     |   8 +
 .../at/gv/egiz/bku/local/stal/LocalBKUWorker.java  |   3 +-
 .../gv/egiz/bku/local/stal/LocalSecureViewer.java  | 109 ++++
 .../bku/local/stal/LocalSignRequestHandler.java    |  83 +--
 .../gv/egiz/bku/online/conf/defaultConf.properties |   3 +
 BKUOnline/src/main/resources/log4j.properties      |   2 +-
 BKUOnline/src/main/webapp/SLRequestForm.html       |  27 +
 .../at/gv/egiz/bku/binding/ExpiryRemoverTest.java  | 101 ++--
 smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java   | 130 ++---
 .../at/gv/egiz/smcc/AbstractSignatureCard.java     | 220 ++------
 .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java | 234 +++++---
 smcc/src/main/java/at/gv/egiz/smcc/SWCard.java     |  49 +-
 .../main/java/at/gv/egiz/smcc/SignatureCard.java   |  15 +-
 smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java  |  77 +++
 .../java/at/gv/egiz/smcc/ccid/DefaultReader.java   | 264 +++++++++
 .../at/gv/egiz/smcc/ccid/GemplusGemPCPinpad.java   |  65 +++
 .../java/at/gv/egiz/smcc/ccid/ReaderFactory.java   |  35 ++
 .../test/java/at/gv/egiz/smcc/ACOSCardTest.java    | 135 +++++
 .../test/java/at/gv/egiz/smcc/STARCOSCardTest.java | 267 +++++++++
 .../gv/egiz/bku/smccstal/AbstractPINProvider.java  |   2 +-
 .../gv/egiz/bku/smccstal/PINProviderFactory.java   |   3 +-
 .../bku/smccstal/PinpadPINProviderFactory.java     | 131 +++--
 .../java/at/gv/egiz/bku/smccstal/SecureViewer.java |  11 +-
 .../gv/egiz/bku/smccstal/SignRequestHandler.java   |  14 +-
 .../bku/smccstal/SoftwarePINProviderFactory.java   |  25 +-
 .../java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java |   7 +-
 45 files changed, 2364 insertions(+), 1177 deletions(-)
 delete mode 100644 BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/HashDataViewer.java
 create mode 100644 BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/SecureViewerDialog.java
 create mode 100644 BKUCommonGUI/src/main/resources/images/ChipperlingLogo.png
 create mode 100644 BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalSecureViewer.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ccid/DefaultReader.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ccid/GemplusGemPCPinpad.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ccid/ReaderFactory.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/ACOSCardTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java

(limited to 'smcc/src/test/java')

diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletBKUWorker.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletBKUWorker.java
index 9b9735f6..e8d8976d 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletBKUWorker.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletBKUWorker.java
@@ -18,6 +18,7 @@ package at.gv.egiz.bku.online.applet;
 
 import at.gv.egiz.bku.smccstal.AbstractBKUWorker;
 import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.bku.smccstal.SignRequestHandler;
 import at.gv.egiz.stal.STALRequest;
 import at.gv.egiz.stal.STALResponse;
 import at.gv.egiz.stal.SignRequest;
@@ -67,8 +68,10 @@ public class AppletBKUWorker extends AbstractBKUWorker implements Runnable {
       STALPortType stalPort = applet.getSTALPort();
       STALTranslator stalTranslator = applet.getSTALTranslator();
 
+      AppletSecureViewer secureViewer =
+              new AppletSecureViewer(gui, stalPort, sessionId);
       addRequestHandler(SignRequest.class,
-              new AppletSecureViewer(stalPort, sessionId));
+              new SignRequestHandler(secureViewer));
 
       GetNextRequestResponseType nextRequestResp = stalPort.connect(sessionId);
 
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
index e2551e2d..929cecb1 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
@@ -16,17 +16,8 @@
  */
 package at.gv.egiz.bku.online.applet;
 
+import at.gv.egiz.bku.gui.BKUGUIFacade;
 import at.gv.egiz.bku.smccstal.SecureViewer;
-import java.security.DigestException;
-import java.security.MessageDigest;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import at.gv.egiz.bku.smccstal.SignRequestHandler;
 import at.gv.egiz.stal.HashDataInput;
 import at.gv.egiz.stal.impl.ByteArrayHashDataInput;
 import at.gv.egiz.stal.service.GetHashDataInputFault;
@@ -34,49 +25,73 @@ import at.gv.egiz.stal.service.STALPortType;
 import at.gv.egiz.stal.service.types.GetHashDataInputResponseType;
 import at.gv.egiz.stal.service.types.GetHashDataInputType;
 import at.gv.egiz.stal.signedinfo.ReferenceType;
+import at.gv.egiz.stal.signedinfo.SignedInfoType;
+import java.awt.event.ActionListener;
+import java.security.DigestException;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
 /**
- * A SignRequesthandler that obtains hashdata inputs from a STAL webservice and
- * displays these either within the applet or in a separate frame.
- * The internal viewer displays plaintext data only, other mimetypes can be saved to disk.
- * The standalone (frame) viewer displays all mimetypes.
- * 
- * (This class depends on STALService and therefore is not part of BKUCommonGUI.)
- * 
+ *
  * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
  */
-public class AppletSecureViewer extends SignRequestHandler {
+public class AppletSecureViewer implements SecureViewer {
 
   private static final Log log = LogFactory.getLog(AppletSecureViewer.class);
+
+  protected BKUGUIFacade gui;
   protected STALPortType stalPort;
   protected String sessId;
+  protected List<HashDataInput> verifiedDataToBeSigned;
 
-  public AppletSecureViewer(STALPortType stalPort, String sessId) {
-    if (stalPort == null || sessId == null) {
+  public AppletSecureViewer(BKUGUIFacade gui, STALPortType stalPort,
+          String sessId) {
+    if (gui == null) {
+      throw new NullPointerException("GUI must not be null");
+    }
+    if (stalPort == null) {
       throw new NullPointerException("STAL port must not be null");
     }
-    this.sessId = sessId;
+    if (sessId == null) {
+      throw new NullPointerException("session id must not be null");
+    }
+    this.gui = gui;
     this.stalPort = stalPort;
+    this.sessId = sessId;
   }
 
   /**
-   * TODO don't throw exceptions
+   * retrieves the data to be signed for
    * @param signedReferences
+   * @param okListener
+   * @param okCommand
+   * @param cancelListener
+   * @param cancelCommand
    * @throws java.security.DigestException
    * @throws java.lang.Exception
    */
   @Override
-  public void displayDataToBeSigned(List<ReferenceType> signedReferences) 
+  public void displayDataToBeSigned(SignedInfoType signedInfo,
+          ActionListener okListener, String okCommand)
           throws DigestException, Exception {
-
-  List<GetHashDataInputResponseType.Reference> hdi = getHashDataInput(signedReferences);
-    List<HashDataInput> verifiedHashDataInputs = verifyHashDataInput(signedReferences, hdi);
-
-    if (verifiedHashDataInputs.size() > 0) {
-      gui.showSecureViewer(verifiedHashDataInputs, this, "hashDataDone");
+    
+    if (verifiedDataToBeSigned == null) {
+      log.info("retrieve data to be signed for dsig:SignedInfo " +
+              signedInfo.getId());
+      List<GetHashDataInputResponseType.Reference> hdi = 
+              getHashDataInput(signedInfo.getReference());
+      verifiedDataToBeSigned = verifyHashDataInput(signedInfo.getReference(),
+              hdi);
+    }
+    if (verifiedDataToBeSigned.size() > 0) {
+      gui.showSecureViewer(verifiedDataToBeSigned, okListener, okCommand);
     } else {
-      throw new Exception("No signature data (apart from any QualifyingProperties or a Manifest)");
+      throw new Exception("No data to be signed (apart from any QualifyingProperties or a Manifest)");
     }
   }
 
@@ -110,7 +125,7 @@ public class AppletSecureViewer extends SignRequestHandler {
         }
       }
     }
-    
+
     if (request.getReference().size() < 1) {
       log.error("No signature data (apart from any QualifyingProperties or a Manifest) for session " + sessId);
       throw new Exception("No signature data (apart from any QualifyingProperties or a Manifest)");
@@ -187,7 +202,7 @@ public class AppletSecureViewer extends SignRequestHandler {
         verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding));
       }
     }
-    
+
     return verifiedHashDataInputs;
   }
 
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java
index a4337bbd..0ddb6dc6 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/BKUApplet.java
@@ -34,6 +34,7 @@ import at.gv.egiz.bku.gui.BKUGUIFacade;
 import at.gv.egiz.bku.gui.BKUGUIImpl;
 import at.gv.egiz.stal.service.STALPortType;
 import at.gv.egiz.stal.service.STALService;
+import java.applet.AppletContext;
 import java.awt.Container;
 import javax.xml.namespace.QName;
 
@@ -207,14 +208,19 @@ public class BKUApplet extends JApplet {
    */
   protected void sendRedirect(String sessionId) {
     try {
+      AppletContext ctx = getAppletContext();
+      if (ctx == null) {
+        log.error("no applet context (applet might already have been destroyed)");
+        return;
+      }
       URL redirectURL = getURLParameter(REDIRECT_URL, sessionId);
       String redirectTarget = getParameter(REDIRECT_TARGET);
       if (redirectTarget == null) {
         log.info("Done. Redirecting to " + redirectURL + " ...");
-        getAppletContext().showDocument(redirectURL);
+        ctx.showDocument(redirectURL);
       } else {
         log.info("Done. Redirecting to " + redirectURL + " (target=" + redirectTarget + ") ...");
-        getAppletContext().showDocument(redirectURL, redirectTarget);
+        ctx.showDocument(redirectURL, redirectTarget);
       }
     } catch (MalformedURLException ex) {
       log.warn("Failed to redirect: " + ex.getMessage(), ex);
diff --git a/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUI.java b/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUI.java
index 159dd29d..d1ca6c00 100644
--- a/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUI.java
+++ b/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUI.java
@@ -118,18 +118,18 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
                 pinStatusTable.setDefaultRenderer(PINSpec.class, new PINSpecRenderer());
                 pinStatusTable.setDefaultRenderer(STATUS.class, new PINStatusRenderer(cardmgmtMessages));
                 pinStatusTable.setTableHeader(null);
-
-                pinStatusTable.addMouseMotionListener(new MouseMotionAdapter() {
-
-                  @Override
-                  public void mouseMoved(MouseEvent e) {
-                    if (pinStatusTable.columnAtPoint(e.getPoint()) == 0) {
-                      pinStatusTable.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
-                    } else {
-                      pinStatusTable.setCursor(Cursor.getDefaultCursor());
-                    }
-                  }
-                });
+                pinStatusTable.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
+//                pinStatusTable.addMouseMotionListener(new MouseMotionAdapter() {
+//
+//                  @Override
+//                  public void mouseMoved(MouseEvent e) {
+//                    if (pinStatusTable.columnAtPoint(e.getPoint()) == 0) {
+//                      pinStatusTable.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
+//                    } else {
+//                      pinStatusTable.setCursor(Cursor.getDefaultCursor());
+//                    }
+//                  }
+//                });
 
                 final JButton activateButton = new JButton();
                 activateButton.setFont(activateButton.getFont().deriveFont(activateButton.getFont().getStyle() & ~java.awt.Font.BOLD));
@@ -392,7 +392,7 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
                 if (pinpad) {
                   JLabel pinpadLabel = new JLabel();
                   pinpadLabel.setFont(mgmtLabel.getFont().deriveFont(mgmtLabel.getFont().getStyle() & ~Font.BOLD));
-                  String pinpadPattern = getMessage(MESSAGE_PINPAD);
+                  String pinpadPattern = getMessage(MESSAGE_VERIFYPIN_PINPAD);
                   pinpadLabel.setText(MessageFormat.format(pinpadPattern,
                           new Object[] { pinSpec.getLocalizedName(), pinSize }));
                   
diff --git a/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUIFacade.java b/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUIFacade.java
index 45313f42..f0cc0a27 100644
--- a/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUIFacade.java
+++ b/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUIFacade.java
@@ -40,13 +40,16 @@ public interface PINManagementGUIFacade extends BKUGUIFacade {
   public static final String MESSAGE_ACTIVATE_SUCCESS = "activate.success";
   public static final String MESSAGE_CHANGE_SUCCESS = "change.success";
   public static final String MESSAGE_PINMGMT = "pin.mgmt";
-  public static final String MESSAGE_PINPAD = "pinpad";
-  public static final String MESSAGE_CHANGEPIN_PINPAD = "pinpad.change";
+//  public static final String MESSAGE_PINPAD = "pinpad";
   public static final String MESSAGE_ACTIVATE_PIN = "activate.pin";
   public static final String MESSAGE_CHANGE_PIN = "change.pin";
   public static final String MESSAGE_VERIFY_PIN = "verify.pin";
   public static final String MESSAGE_UNBLOCK_PIN = "unblock.pin";
-  
+  public static final String MESSAGE_ACTIVATEPIN_PINPAD = "activate.pinpad";
+  public static final String MESSAGE_CHANGEPIN_PINPAD = "change.pinpad";
+  public static final String MESSAGE_VERIFYPIN_PINPAD = "verify.pinpad";
+  public static final String MESSAGE_UNBLOCKPIN_PINPAD = "unblock.pinpad";
+
   public static final String LABEL_OLD_PIN = "label.old.pin";
   public static final String LABEL_NEW_PIN = "label.new.pin";
   public static final String LABEL_REPEAT_PIN = "label.repeat.pin";
diff --git a/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINStatusRenderer.java b/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINStatusRenderer.java
index 4cb84b77..83ff74f2 100644
--- a/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINStatusRenderer.java
+++ b/BKUAppletExt/src/main/java/at/gv/egiz/bku/gui/PINStatusRenderer.java
@@ -22,8 +22,6 @@ import java.awt.Color;
 import java.awt.Font;
 import java.util.ResourceBundle;
 import javax.swing.table.DefaultTableCellRenderer;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 
 /**
  *
diff --git a/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/ManagementPINProviderFactory.java b/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/ManagementPINProviderFactory.java
index b0dd8766..d635b8df 100644
--- a/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/ManagementPINProviderFactory.java
+++ b/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/ManagementPINProviderFactory.java
@@ -19,6 +19,7 @@ package at.gv.egiz.bku.smccstal.ext;
 
 import at.gv.egiz.smcc.ChangePINProvider;
 import at.gv.egiz.bku.gui.PINManagementGUIFacade;
+import at.gv.egiz.smcc.ccid.CCID;
 import at.gv.egiz.smcc.PINProvider;
 import at.gv.egiz.smcc.SignatureCard;
 
@@ -33,13 +34,13 @@ public abstract class ManagementPINProviderFactory {
   
   public static ManagementPINProviderFactory getInstance(SignatureCard forCard,
           PINManagementGUIFacade gui) {
-//    if (forCard.ifdSupportsFeature(SignatureCard.FEATURE_VERIFY_PIN_DIRECT)) {
-////      forCard.ifdSupportsFeature(SignatureCard.FEATURE_MODIFY_PIN_DIRECT)
-//      return new PinpadPINProviderFactory(gui);
-//
-//    } else {
+    if (forCard.getReader().hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
+//      forCard.ifdSupportsFeature(SignatureCard.FEATURE_MODIFY_PIN_DIRECT)
+      return new PinpadPINProviderFactory(gui);
+
+    } else {
       return new SoftwarePINProviderFactory(gui);
-//    }
+    }
   }
 
   public abstract PINProvider getVerifyPINProvider();
diff --git a/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/PinpadPINProviderFactory.java b/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/PinpadPINProviderFactory.java
index 4176e0a9..a9ad5ef8 100644
--- a/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/PinpadPINProviderFactory.java
+++ b/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/PinpadPINProviderFactory.java
@@ -73,23 +73,6 @@ public class PinpadPINProviderFactory extends ManagementPINProviderFactory {
       showPinpadPINDialog(retries, spec);
       retry = true;
       return null;
-
-//      gui.showPINDialog(type, spec, (retry) ? retries : -1,
-//              this, "exec",
-//              this, "back");
-//
-//      waitForAction();
-//
-//      if ("exec".equals(action)) {
-//        gui.showWaitDialog(null);
-//        retry = true;
-//        return gui.getPin();
-//      } else if ("back".equals(action)) {
-//        throw new CancelledException();
-//      } else {
-//        log.error("unsupported command " + action);
-//        throw new CancelledException();
-//      }
     }
 
     /**
@@ -111,14 +94,38 @@ public class PinpadPINProviderFactory extends ManagementPINProviderFactory {
         title = BKUGUIFacade.TITLE_RETRY;
         message = BKUGUIFacade.MESSAGE_RETRIES;
         params = new Object[]{String.valueOf(retries)};
-      } else {
-        title = BKUGUIFacade.TITLE_SIGN;
+      } else if (type == DIALOG.VERIFY) {
+        title = PINManagementGUIFacade.TITLE_VERIFY_PIN;
         message = BKUGUIFacade.MESSAGE_ENTERPIN_PINPAD;
         String pinSize = String.valueOf(pinSpec.getMinLength());
         if (pinSpec.getMinLength() != pinSpec.getMaxLength()) {
           pinSize += "-" + pinSpec.getMaxLength();
         }
         params = new Object[]{pinSpec.getLocalizedName(), pinSize};
+      } else if (type == DIALOG.ACTIVATE) {
+        title = PINManagementGUIFacade.TITLE_ACTIVATE_PIN;
+        message = PINManagementGUIFacade.MESSAGE_ACTIVATEPIN_PINPAD;
+        String pinSize = String.valueOf(pinSpec.getMinLength());
+        if (pinSpec.getMinLength() != pinSpec.getMaxLength()) {
+          pinSize += "-" + pinSpec.getMaxLength();
+        }
+        params = new Object[]{pinSpec.getLocalizedName(), pinSize};
+      } else if (type == DIALOG.CHANGE) {
+        title = PINManagementGUIFacade.TITLE_CHANGE_PIN;
+        message = PINManagementGUIFacade.MESSAGE_CHANGEPIN_PINPAD;
+        String pinSize = String.valueOf(pinSpec.getMinLength());
+        if (pinSpec.getMinLength() != pinSpec.getMaxLength()) {
+          pinSize += "-" + pinSpec.getMaxLength();
+        }
+        params = new Object[]{pinSpec.getLocalizedName(), pinSize};
+      } else { //if (type == DIALOG.UNBLOCK) {
+        title = PINManagementGUIFacade.TITLE_UNBLOCK_PIN;
+        message = PINManagementGUIFacade.MESSAGE_UNBLOCKPIN_PINPAD;
+        String pinSize = String.valueOf(pinSpec.getMinLength());
+        if (pinSpec.getMinLength() != pinSpec.getMaxLength()) {
+          pinSize += "-" + pinSpec.getMaxLength();
+        }
+        params = new Object[]{pinSpec.getLocalizedName(), pinSize};
       }
       gui.showMessageDialog(title, message, params);
     }
diff --git a/BKUAppletExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages.properties b/BKUAppletExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages.properties
index 4ceacb21..c6d219d4 100644
--- a/BKUAppletExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages.properties
+++ b/BKUAppletExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages.properties
@@ -24,12 +24,14 @@ title.change.success=<html>Erfolg</html>
 
 # removed message.* prefix to reuse keys as help keys
 pin.mgmt=<html>Die Karte verf\u00FCgt \u00FCber {0} PINs</html>
-pinpad=<html>{0} ({1} stellig) am Kartenleser eingeben und best\u00E4tigen.</html>
-pinpad.change=<html>{0} ({1} stellig) am Kartenleser eingeben und best\u00E4tigen.</html>
 activate.pin=<html>{0} eingeben und best\u00E4tigen</html>
 change.pin=<html>{0} eingeben und best\u00E4tigen</html>
 unblock.pin=<html>PUK zu {0} eingeben</html>
 verify.pin=<html>{0} eingeben (TODO: Warning not activated)</html>
+verify.pinpad=<html>{0} ({1} stellig) am Kartenleser eingeben (und best\u00E4tigen).</html>
+activate.pinpad=<html>{0} ({1} stellig) am Kartenleser eingeben und wiederholen (jeweils best\u00E4tigen).</html>
+change.pinpad=<html>Alte {0} ({1} stellig) am Kartenleser eingeben, danach neue {0} eingeben und wiederholen (jeweils best\u00E4tigen). </html>
+unblock.pinpad=<html>{0} ({1} stellig) am Kartenleser eingeben (und best\u00E4tigen).</html>
 activate.success=<html>{0} wurde erfolgreich aktiviert.</html>
 change.success=<html>{0} wurde erfolgreich ge\u00E4ndert.</html>
 
diff --git a/BKUAppletExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages_en.properties b/BKUAppletExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages_en.properties
index 9178d65c..b4bededf 100644
--- a/BKUAppletExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages_en.properties
+++ b/BKUAppletExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages_en.properties
@@ -23,11 +23,13 @@ title.change.success=<html>Success</html>
 
 # removed message.* prefix to reuse keys as help keys
 pin.mgmt=<html>The smartcard has {0} PINs</html>
-pinpad=<html>Enter {0} ({1} digits) on pinpad and confirm.</html>
-pinpad.change=<html>Enter {0} ({1} digits) on pinpad and confirm.</html>
 activate.pin=<html>Enter and confirm {0}</html>
 change.pin=<html>Enter and confirm {0}</html>
 unblock.pin=<html>Enter PUK for {0}</html>
+verify.pinpad=<html>Enter {0} ({1} digits) on cardreader (and confirm).</html>
+activate.pinpad=<html>Enter {0} ({1} digits) on cardreader and repeat (confirm in each case).</html>
+change.pinpad=<html>Enter old {0} ({1} digits) on cardreader, then enter new {0} and repeat (confirm in each case).</html>
+unblock.pinpad=<html>Enter {0} ({1} digits) on cardreader (and confirm).</html>
 activate.success=<html>{0} successfully activated</html>
 change.success=<html>{0} successfully changed</html>
 
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java
index 1043b6a1..4b079428 100644
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java
@@ -43,6 +43,7 @@ public interface BKUGUIFacade {
   
   public static final String MESSAGES_BUNDLE = "at/gv/egiz/bku/gui/Messages";
   public static final String DEFAULT_BACKGROUND = "/images/BackgroundChipperling.png";
+  public static final String DEFAULT_ICON = "/images/ChipperlingLogo.png";
   public static final String HELP_IMG = "/images/help.png";
   public static final String HASHDATA_FONT = "Monospaced";
   public static final Color ERROR_COLOR = Color.RED;
@@ -58,6 +59,7 @@ public interface BKUGUIFacade {
   public static final String TITLE_WAIT = "title.wait";
   public static final String TITLE_HASHDATA = "title.hashdata";
   public static final String WINDOWTITLE_SAVE = "windowtitle.save";
+  public static final String WINDOWTITLE_ERROR = "windowtitle.error";
   public static final String WINDOWTITLE_SAVEDIR = "windowtitle.savedir";
   public static final String WINDOWTITLE_OVERWRITE = "windowtitle.overwrite";
   public static final String WINDOWTITLE_VIEWER = "windowtitle.viewer";
@@ -102,42 +104,36 @@ public interface BKUGUIFacade {
 
   public enum Style { tiny, simple, advanced };
     
-//  public void init(Container contentPane, Locale locale, Style guiStyle, URL background, ActionListener helpListener);
-
   /**
    * BKUWorker needs to init signature card with locale
    * @return
    */
   public Locale getLocale();
 
-//  public void showWelcomeDialog();
-
-  /**
-   * 
-   * @param waitMessage if null, a simple 'please wait' text is displayed
-   */
-//  public void showWaitDialog(String waitMessage);
-
-//  public void showInsertCardDialog(ActionListener cancelListener, String actionCommand);
-
-//  public void showCardNotSupportedDialog(ActionListener cancelListener, String actionCommand);
-
   public void showCardPINDialog(PINSpec pinSpec, int numRetries,
           ActionListener okListener, String okCommand,
           ActionListener cancelListener, String cancelCommand);
 
-//  public void showCardPINRetryDialog(PINSpec pinSpec, int numRetries, ActionListener okListener, String okCommand, ActionListener cancelListener, String cancelCommand);
-
-  public void showSignaturePINDialog(PINSpec pinSpec, int numRetries, ActionListener signListener, String signCommand, ActionListener cancelListener, String cancelCommand, ActionListener hashdataListener, String hashdataCommand);
-
-//  public void showSignaturePINRetryDialog(PINSpec pinSpec, int numRetries, ActionListener okListener, String okCommand, ActionListener cancelListener, String cancelCommand, ActionListener hashdataListener, String hashdataCommand);
+  public void showSignaturePINDialog(PINSpec pinSpec, int numRetries,
+          ActionListener signListener, String signCommand,
+          ActionListener cancelListener, String cancelCommand,
+          ActionListener viewerListener, String viewerCommand);
 
-//  public void showPinpadSignaturePINDialog(PINSpec pinSpec, int retries);
+  public void showPinpadSignaturePINDialog(PINSpec pinSpec, int numRetries, 
+          ActionListener viewerListener, String viewerCommand);
 
   public char[] getPin();
 
-  public void showSecureViewer(List<HashDataInput> signedReferences,
-          ActionListener okListener, String okCommand);
+  /**
+   *
+   * @param dataToBeSigned
+   * @param backListener if list of references hides pin dialog, backListener
+   * receives an action when user hits 'back' button (i.e. whenever the pin-dialog
+   * needs to be re-paint)
+   * @param backCommand
+   */
+  public void showSecureViewer(List<HashDataInput> dataToBeSigned,
+          ActionListener backListener, String backCommand);
 
   public void showErrorDialog(String errorMsgKey, Object[] errorMsgParams,
           ActionListener okListener, String okCommand);
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java
index 928be249..a7eebbfd 100644
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java
@@ -71,6 +71,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
     }
 
     protected HelpMouseListener helpListener;
+    protected SecureViewerDialog secureViewer;
     
     protected Container contentPane;
     protected ResourceBundle messages;
@@ -145,13 +146,16 @@ public class BKUGUIImpl implements BKUGUIFacade {
                 @Override
                 public void run() {
                   
-                  log.debug("initializing gui");
+                  log.debug("initializing gui [" + Thread.currentThread().getName() + "]");
 
                   if (renderIconPanel) {
                     initIconPanel(background);
                     initContentPanel(null);
                   } else {
-                    initContentPanel(background);
+                    initContentPanel((background == null) ?
+                      getClass().getResource(DEFAULT_BACKGROUND) :
+                      background
+                    );
                   }
                   
                   GroupLayout layout = new GroupLayout(contentPane);
@@ -159,15 +163,27 @@ public class BKUGUIImpl implements BKUGUIFacade {
                   
                   if (renderIconPanel) {
                     layout.setHorizontalGroup(layout.createSequentialGroup()
-                        .addComponent(iconPanel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
-                        .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED)
-                        .addComponent(contentPanel, GroupLayout.DEFAULT_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE));
-                    layout.setVerticalGroup(layout.createParallelGroup(GroupLayout.Alignment.LEADING)
-                      .addComponent(iconPanel, GroupLayout.Alignment.TRAILING, GroupLayout.DEFAULT_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
-                      .addComponent(contentPanel, GroupLayout.DEFAULT_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE));
+                            .addContainerGap()
+                            .addComponent(iconPanel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
+                            .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED)
+                            .addComponent(contentPanel, GroupLayout.DEFAULT_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
+                            .addContainerGap());
+                    layout.setVerticalGroup(layout.createSequentialGroup()
+                            .addContainerGap()
+                            .addGroup(layout.createParallelGroup(GroupLayout.Alignment.LEADING)
+                              .addComponent(iconPanel, GroupLayout.Alignment.TRAILING, GroupLayout.DEFAULT_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
+                              .addComponent(contentPanel, GroupLayout.DEFAULT_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
+                            .addContainerGap());
                   } else {
-                    layout.setHorizontalGroup(layout.createSequentialGroup().addComponent(contentPanel));
-                    layout.setVerticalGroup(layout.createSequentialGroup().addComponent(contentPanel));
+                    layout.setHorizontalGroup(layout.createSequentialGroup()
+                            // left border
+                            .addContainerGap()
+                            .addComponent(contentPanel)
+                            .addContainerGap());
+                    layout.setVerticalGroup(layout.createSequentialGroup()
+                            .addContainerGap()
+                            .addComponent(contentPanel)
+                            .addContainerGap());
                   }
                 }
             });
@@ -178,11 +194,12 @@ public class BKUGUIImpl implements BKUGUIFacade {
     
     protected void initIconPanel(URL background) {
       if (background == null) {
-        background = getClass().getResource(DEFAULT_BACKGROUND);
+        background = getClass().getResource(DEFAULT_ICON);
       }
       if ("file".equals(background.getProtocol())) {
-        log.warn("file:// background images not permitted: " + background);
-        background = getClass().getResource(DEFAULT_BACKGROUND);
+        log.warn("file:// background images not permitted: " + background +
+                ", loading default background");
+        background = getClass().getResource(DEFAULT_ICON);
       }
       log.debug("loading icon panel background " + background);
       
@@ -194,26 +211,24 @@ public class BKUGUIImpl implements BKUGUIFacade {
       iconPanel.setLayout(iconPanelLayout);
       iconPanelLayout.setHorizontalGroup(
         iconPanelLayout.createSequentialGroup()
-          .addContainerGap()
           .addComponent(iconLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE));
-          // no gap here (contentPanel has containerGap)
       iconPanelLayout.setVerticalGroup(
         iconPanelLayout.createSequentialGroup()
-          .addContainerGap()
-          .addComponent(iconLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
-          .addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE));
+          .addComponent(iconLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE));
     }
 
     protected void initContentPanel(URL background) { 
 
+//      if (background == null) {
+//        background = getClass().getResource(DEFAULT_BACKGROUND);
+//      }
       if (background == null) {
-        background = getClass().getResource(DEFAULT_BACKGROUND);
-      }
-      if (background == null) {
+        log.debug("no background image set");
           contentPanel = new JPanel();
       } else {
           if ("file".equals(background.getProtocol())) {
-            log.warn("file:// background images not permitted: " + background);
+            log.warn("file:// background images not permitted: " + background +
+                    ", loading default background");
             background = getClass().getResource(DEFAULT_BACKGROUND);
           }
           log.debug("loading background " + background);
@@ -257,34 +272,29 @@ public class BKUGUIImpl implements BKUGUIFacade {
       GroupLayout contentPanelLayout = new GroupLayout(contentPanel);
       contentPanel.setLayout(contentPanelLayout);
 
-      GroupLayout.ParallelGroup horizontalContentInner = contentPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING);
+      // align header, main and button to the right
+      GroupLayout.ParallelGroup horizontalContent =
+              contentPanelLayout.createParallelGroup(GroupLayout.Alignment.TRAILING); //LEADING);
+      GroupLayout.SequentialGroup verticalContent =
+              contentPanelLayout.createSequentialGroup();
+
       if (renderHeaderPanel) {
-        horizontalContentInner
+        horizontalContent
                 .addComponent(headerPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE);
+        verticalContent
+                .addComponent(headerPanel, 0, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
+                .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED);
+
       }
-      horizontalContentInner
+      horizontalContent
               .addComponent(mainPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
-              .addComponent(buttonPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE);
-      GroupLayout.SequentialGroup horizontalContentOuter = contentPanelLayout.createSequentialGroup();
-      if (!renderIconPanel) {
-        horizontalContentOuter
-                .addContainerGap();
-      }
-      horizontalContentOuter
-              .addGroup(horizontalContentInner)
-              .addContainerGap();
-      contentPanelLayout.setHorizontalGroup(horizontalContentOuter);
-      
-      GroupLayout.SequentialGroup verticalContent = contentPanelLayout.createSequentialGroup();
-      verticalContent.addContainerGap();
-      if (renderHeaderPanel) {
-        verticalContent.addComponent(headerPanel, 0, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
-          .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED);
-      }
-      verticalContent.addComponent(mainPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE) 
-        .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED)
-        .addComponent(buttonPanel, 0, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
-        .addContainerGap();
+              .addComponent(buttonPanel, 0, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE); //Short.MAX_VALUE);
+      verticalContent
+              .addComponent(mainPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
+              .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED)
+              .addComponent(buttonPanel, 0, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE);
+
+      contentPanelLayout.setHorizontalGroup(horizontalContent); //Outer);
       contentPanelLayout.setVerticalGroup(verticalContent);
     }
 
@@ -521,7 +531,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
             @Override
             public void run() {
 
-              log.debug("show card-pin dialog");
+              log.debug("show card-pin dialog [" + Thread.currentThread().getName() + "]");
       
                 mainPanel.removeAll();
                 buttonPanel.removeAll();
@@ -653,7 +663,6 @@ public class BKUGUIImpl implements BKUGUIFacade {
                 buttonPanel.setLayout(buttonPanelLayout);
 
                 GroupLayout.SequentialGroup buttonHorizontal = buttonPanelLayout.createSequentialGroup()
-                        .addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
                         .addComponent(okButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE);
                 GroupLayout.Group buttonVertical;
                 
@@ -700,6 +709,128 @@ public class BKUGUIImpl implements BKUGUIFacade {
 //        showSignaturePINDialog(pinSpec, -1, signListener, signCommand, cancelListener, cancelCommand, hashdataListener, hashdataCommand);
 //    }
 
+    @Override
+    public void showPinpadSignaturePINDialog(final PINSpec pinSpec, final int numRetries,
+//            final ActionListener cancelListener, final String cancelCommand,
+            final ActionListener hashdataListener, final String hashdataCommand) {
+
+        log.debug("scheduling pinpad signature-pin dialog");
+
+        SwingUtilities.invokeLater(new Runnable() {
+
+            @Override
+            public void run() {
+
+              log.debug("show pinpad signature-pin dialog [" + Thread.currentThread().getName() + "]");
+
+                mainPanel.removeAll();
+                buttonPanel.removeAll();
+
+                if (renderHeaderPanel) {
+                  if (numRetries < 0) {
+                      titleLabel.setText(getMessage(TITLE_SIGN));
+                  } else {
+                      titleLabel.setText(getMessage(TITLE_RETRY));
+                  }
+                }
+
+                JLabel infoLabel = new JLabel();
+                if (numRetries < 0) {
+                  infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
+                  if (shortText) {
+                    infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY));
+                  } else {
+                    infoLabel.setText(getMessage(MESSAGE_HASHDATALINK));
+                  }
+                  infoLabel.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
+                  infoLabel.setForeground(HYPERLINK_COLOR);
+                  infoLabel.addMouseListener(new MouseAdapter() {
+
+                      @Override
+                      public void mouseClicked(MouseEvent me) {
+                          ActionEvent e = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, hashdataCommand);
+                          hashdataListener.actionPerformed(e);
+                      }
+                  });
+                  helpListener.setHelpTopic(HELP_SIGNPIN);
+                } else {
+                  String retryPattern;
+                  if (numRetries < 2) {
+                    retryPattern = getMessage(MESSAGE_LAST_RETRY);
+                  } else {
+                    retryPattern = getMessage(MESSAGE_RETRIES);
+                  }
+                  infoLabel.setText(MessageFormat.format(retryPattern, new Object[]{String.valueOf(numRetries)}));
+                  infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() | java.awt.Font.BOLD));
+                  infoLabel.setForeground(ERROR_COLOR);
+                  helpListener.setHelpTopic(HELP_RETRY);
+                }
+
+                String pinSize = String.valueOf(pinSpec.getMinLength());
+                if (pinSpec.getMinLength() != pinSpec.getMaxLength()) {
+                    pinSize += "-" + pinSpec.getMaxLength();
+                }
+
+                String msgPattern = getMessage(MESSAGE_ENTERPIN_PINPAD);
+                String msg = MessageFormat.format(msgPattern, new Object[] {
+                  pinSpec.getLocalizedName(), pinSize });
+
+                JLabel msgLabel = new JLabel();
+                msgLabel.setFont(msgLabel.getFont().deriveFont(msgLabel.getFont().getStyle() & ~Font.BOLD));
+                msgLabel.setText(msg);
+
+                GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
+                mainPanel.setLayout(mainPanelLayout);
+
+                GroupLayout.SequentialGroup infoHorizontal = mainPanelLayout.createSequentialGroup()
+                        .addComponent(infoLabel);
+                GroupLayout.ParallelGroup infoVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
+                        .addComponent(infoLabel);
+
+                if (!renderHeaderPanel) {
+                  infoHorizontal
+                          .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
+                          .addComponent(helpLabel);
+                  infoVertical
+                          .addComponent(helpLabel);
+                }
+
+                mainPanelLayout.setHorizontalGroup(
+                  mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
+                    .addGroup(infoHorizontal)
+                    .addComponent(msgLabel));
+
+                mainPanelLayout.setVerticalGroup(
+                  mainPanelLayout.createSequentialGroup()
+                    .addGroup(infoVertical)
+                    .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+                    .addComponent(msgLabel));
+
+                //no cancel button (cancel via pinpad)
+//                if (renderCancelButton) {
+//                    JButton cancelButton = new JButton();
+//                    cancelButton.setFont(cancelButton.getFont().deriveFont(cancelButton.getFont().getStyle() & ~java.awt.Font.BOLD));
+//                    cancelButton.setText(getMessage(BUTTON_CANCEL));
+//                    cancelButton.setActionCommand(cancelCommand);
+//                    cancelButton.addActionListener(cancelListener);
+//
+//                    GroupLayout buttonPanelLayout = new GroupLayout(buttonPanel);
+//                    buttonPanel.setLayout(buttonPanelLayout);
+//
+//                    GroupLayout.SequentialGroup buttonHorizontal = buttonPanelLayout.createSequentialGroup()
+//                            .addComponent(cancelButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE);
+//                    GroupLayout.SequentialGroup buttonVertical = buttonPanelLayout.createSequentialGroup()
+//                            .addComponent(cancelButton);
+//
+//                    buttonPanelLayout.setHorizontalGroup(buttonHorizontal);
+//                    buttonPanelLayout.setVerticalGroup(buttonVertical);
+//                }
+
+                contentPanel.validate();
+            }
+        });
+    }
+
     @Override
     public void showSignaturePINDialog(final PINSpec pinSpec, final int numRetries,
             final ActionListener signListener, final String signCommand,
@@ -717,7 +848,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
             @Override
             public void run() {
               
-              log.debug("show signature-pin dialog");
+              log.debug("show signature-pin dialog [" + Thread.currentThread().getName() + "]");
       
                 mainPanel.removeAll();
                 buttonPanel.removeAll();
@@ -730,6 +861,38 @@ public class BKUGUIImpl implements BKUGUIFacade {
                   }
                 }
 
+                JLabel infoLabel = new JLabel();
+                if (numRetries < 0) {
+                  infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
+                  if (shortText) {
+                    infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY));
+                  } else {
+                    infoLabel.setText(getMessage(MESSAGE_HASHDATALINK));
+                  }
+                  infoLabel.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
+                  infoLabel.setForeground(HYPERLINK_COLOR);
+                  infoLabel.addMouseListener(new MouseAdapter() {
+
+                      @Override
+                      public void mouseClicked(MouseEvent me) {
+                          ActionEvent e = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, hashdataCommand);
+                          hashdataListener.actionPerformed(e);
+                      }
+                  });
+                  helpListener.setHelpTopic(HELP_SIGNPIN);
+                } else {
+                  String retryPattern;
+                  if (numRetries < 2) {
+                    retryPattern = getMessage(MESSAGE_LAST_RETRY);
+                  } else {
+                    retryPattern = getMessage(MESSAGE_RETRIES);
+                  }
+                  infoLabel.setText(MessageFormat.format(retryPattern, new Object[]{String.valueOf(numRetries)}));
+                  infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() | java.awt.Font.BOLD));
+                  infoLabel.setForeground(ERROR_COLOR);
+                  helpListener.setHelpTopic(HELP_RETRY);
+                }
+
                 JButton signButton = new JButton();
                 signButton.setFont(signButton.getFont().deriveFont(signButton.getFont().getStyle() & ~java.awt.Font.BOLD));
                 signButton.setText(getMessage(BUTTON_SIGN));
@@ -765,46 +928,14 @@ public class BKUGUIImpl implements BKUGUIFacade {
                 }
                 pinsizeLabel.setText(MessageFormat.format(pinsizePattern, new Object[]{pinSize}));
 
-                JLabel infoLabel = new JLabel();
-                if (numRetries < 0) {
-                  infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
-                  if (shortText) {
-                    infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY));
-                  } else {
-                    infoLabel.setText(getMessage(MESSAGE_HASHDATALINK));
-                  }
-                  infoLabel.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
-                  infoLabel.setForeground(HYPERLINK_COLOR);
-                  infoLabel.addMouseListener(new MouseAdapter() {
-
-                      @Override
-                      public void mouseClicked(MouseEvent me) {
-                          ActionEvent e = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, hashdataCommand);
-                          hashdataListener.actionPerformed(e);
-                      }
-                  });
-                  helpListener.setHelpTopic(HELP_SIGNPIN);
-                } else {
-                  String retryPattern;
-                  if (numRetries < 2) {
-                    retryPattern = getMessage(MESSAGE_LAST_RETRY);
-                  } else {
-                    retryPattern = getMessage(MESSAGE_RETRIES);
-                  }
-                  infoLabel.setText(MessageFormat.format(retryPattern, new Object[]{String.valueOf(numRetries)}));
-                  infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() | java.awt.Font.BOLD));
-                  infoLabel.setForeground(ERROR_COLOR);
-                  helpListener.setHelpTopic(HELP_RETRY);
-                }
-
                 GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
                 mainPanel.setLayout(mainPanelLayout);
-                
+
                 GroupLayout.SequentialGroup infoHorizontal = mainPanelLayout.createSequentialGroup()
                         .addComponent(infoLabel);
                 GroupLayout.ParallelGroup infoVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
                         .addComponent(infoLabel);
-                       
+
                 if (!renderHeaderPanel) {
                   infoHorizontal
                           .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
@@ -814,8 +945,8 @@ public class BKUGUIImpl implements BKUGUIFacade {
                 }
 
                 // align pinfield and pinsize to the right
-                GroupLayout.ParallelGroup pinHorizontal = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.TRAILING);
-                GroupLayout.Group pinVertical;
+                GroupLayout.Group pinHorizontal = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.TRAILING);
+                GroupLayout.SequentialGroup pinVertical = mainPanelLayout.createSequentialGroup();
 
                 if (pinLabelPos == PinLabelPosition.ABOVE) {
                   pinHorizontal
@@ -823,20 +954,25 @@ public class BKUGUIImpl implements BKUGUIFacade {
                             .addComponent(signPinLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
                             .addComponent(pinField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
                           .addComponent(pinsizeLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE);
-                  pinVertical = mainPanelLayout.createSequentialGroup()
+                  pinVertical
                           .addComponent(signPinLabel)
                           .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
-                          .addComponent(pinField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE);
-                } else {
+                          .addComponent(pinField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
+                          .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+                          .addComponent(pinsizeLabel);
+                } else { // PinLabelPosition.LEFT
                   pinHorizontal
                           .addGroup(mainPanelLayout.createSequentialGroup()
                             .addComponent(signPinLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
                             .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
                             .addComponent(pinField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
                           .addComponent(pinsizeLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE);
-                  pinVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.BASELINE)
-                          .addComponent(signPinLabel)
-                          .addComponent(pinField);
+                  pinVertical
+                          .addGroup(mainPanelLayout.createParallelGroup(GroupLayout.Alignment.BASELINE)
+                            .addComponent(signPinLabel)
+                            .addComponent(pinField))
+                          .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+                          .addComponent(pinsizeLabel);
                 }
 
                 mainPanelLayout.setHorizontalGroup(
@@ -848,18 +984,14 @@ public class BKUGUIImpl implements BKUGUIFacade {
                   mainPanelLayout.createSequentialGroup()
                     .addGroup(infoVertical)
                     .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
-                    .addGroup(pinVertical)
-                    .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
-                    .addComponent(pinsizeLabel));
+                    .addGroup(pinVertical));
 
                 GroupLayout buttonPanelLayout = new GroupLayout(buttonPanel);
                 buttonPanel.setLayout(buttonPanelLayout);
 
-                GroupLayout.SequentialGroup buttonHorizontal = buttonPanelLayout.createSequentialGroup()
-                        .addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
-                        .addComponent(signButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE);
+                GroupLayout.SequentialGroup buttonHorizontal = buttonPanelLayout.createSequentialGroup();
                 GroupLayout.Group buttonVertical;
-                
+
                 if (renderCancelButton) {
                   JButton cancelButton = new JButton();
                   cancelButton.setFont(cancelButton.getFont().deriveFont(cancelButton.getFont().getStyle() & ~java.awt.Font.BOLD));
@@ -868,17 +1000,19 @@ public class BKUGUIImpl implements BKUGUIFacade {
                   cancelButton.addActionListener(cancelListener);
 
                   buttonHorizontal
+                          .addComponent(signButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE)
                           .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
                           .addComponent(cancelButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE);
-                  
                   buttonVertical = buttonPanelLayout.createParallelGroup(GroupLayout.Alignment.BASELINE)
                           .addComponent(signButton)
-                          .addComponent(cancelButton); 
+                          .addComponent(cancelButton);
                 } else {
+                  buttonHorizontal
+                          .addComponent(signButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE);
                   buttonVertical = buttonPanelLayout.createSequentialGroup()
                           .addComponent(signButton);
                 }
-                
+
                 buttonPanelLayout.setHorizontalGroup(buttonHorizontal);
                 buttonPanelLayout.setVerticalGroup(buttonVertical);
 
@@ -951,7 +1085,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
           @Override
             public void run() {
 
-                log.debug("show message dialog");
+                log.debug("show message dialog [" + Thread.currentThread().getName() + "]");
 
                 mainPanel.removeAll();
                 buttonPanel.removeAll();
@@ -1011,7 +1145,6 @@ public class BKUGUIImpl implements BKUGUIFacade {
 
                   buttonPanelLayout.setHorizontalGroup(
                     buttonPanelLayout.createSequentialGroup()
-                          .addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
                           .addComponent(okButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE));
                   buttonPanelLayout.setVerticalGroup(
                     buttonPanelLayout.createSequentialGroup()
@@ -1084,68 +1217,69 @@ public class BKUGUIImpl implements BKUGUIFacade {
         }
         return null;
     }
+
+
+    ////////////////////////////////////////////////////////////////////////////
+    // SECURE VIEWER
+    ////////////////////////////////////////////////////////////////////////////
+
     
     /**
-     * TODO handle multiple references in HashDataViewer
      * @param signedReferences
-     * @param okListener
+     * @param backListener gets notified if pin-dialog has to be redrawn
+     * (signedRefencesList returns via BACK button)
      * @param okCommand
      */
     @Override
-    public void showSecureViewer(final List<HashDataInput> signedReferences,
-            final ActionListener okListener, 
-            final String okCommand) {
-      
-      if (signedReferences == null) {
-        showErrorDialog(getMessage(ERR_NO_HASHDATA), new Object[] {"No SignedReferences provided"}, okListener, okCommand);
-        return;
-      }
+    public void showSecureViewer(final List<HashDataInput> dataToBeSigned,
+            final ActionListener backListener, final String backCommand) {
       
-      if (signedReferences.size() == 1) {
+      if (dataToBeSigned == null) {
+        showErrorDialog(getMessage(ERR_NO_HASHDATA),
+                new Object[] {"no signature data provided"},
+                backListener, backCommand);
+      } else if (dataToBeSigned.size() == 1) {
         try {
-          log.debug("scheduling hashdata viewer");
+          log.debug("scheduling secure viewer");
 
-          SwingUtilities.invokeAndWait(new Runnable() {
+          SwingUtilities.invokeLater(new Runnable() {
 
             @Override
             public void run() {
-              ActionListener saveHashDataListener = new ActionListener() {
-
-                @Override
-                public void actionPerformed(ActionEvent e) {
-                  HashDataInput hdi = signedReferences.get(0);
-                  showSaveHashDataInputDialog(Collections.singletonList(hdi), okListener, okCommand);
-                }
-              };
-              showHashDataViewer(signedReferences.get(0), saveHashDataListener, "save");
+              showSecureViewer(dataToBeSigned.get(0)); 
             }
           });
        
-        } catch (InterruptedException ex) {
-          log.error("Failed to display HashDataViewer: " + ex.getMessage());
-        } catch (InvocationTargetException ex) {
-          log.error("Failed to display HashDataViewer: " + ex.getMessage());
+        } catch (Exception ex) { //InterruptedException InvocationTargetException
+          log.error("Failed to display secure viewer: " + ex.getMessage());
+          log.trace(ex);
+          showErrorDialog(ERR_UNKNOWN, null, backListener, backCommand);
         }
       } else {
-        showSignedReferencesListDialog(signedReferences, okListener, okCommand);
+        showSignedReferencesListDialog(dataToBeSigned, backListener, backCommand);
       }
     }
     
     /**
      * has to be called from event dispatcher thread
+     * This method blocks until the dialog's close button is pressed.
      * @param hashDataText
      * @param saveListener
      * @param saveCommand
      */
-    private void showHashDataViewer(final HashDataInput hashDataInput, final ActionListener saveListener, final String saveCommand) {
+    private void showSecureViewer(HashDataInput dataToBeSigned) {
       
-      log.debug("show hashdata viewer");
-
-      ActionListener l = helpListener.getActionListener();
-      HashDataViewer.showHashDataInput(contentPane, hashDataInput, messages, saveListener, saveCommand, l);
+      log.debug("show secure viewer [" + Thread.currentThread().getName() + "]");
+      if (secureViewer == null) {
+        secureViewer = new SecureViewerDialog(null, messages,
+                helpListener.getActionListener());
+      }
+      secureViewer.setContent(dataToBeSigned);
+      log.trace("show secure viewer returned");
     }
     
-    private void showSignedReferencesListDialog(final List<HashDataInput> signedReferences, final ActionListener backListener, final String backCommand) {
+    private void showSignedReferencesListDialog(final List<HashDataInput> signedReferences,
+            final ActionListener backListener, final String backCommand) {
       
       log.debug("scheduling signed references list dialog");
       
@@ -1154,7 +1288,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
         @Override
         public void run() {
           
-          log.debug("show signed references list dialog");
+          log.debug("show signed references list dialog [" + Thread.currentThread().getName() + "]");
           
           mainPanel.removeAll();
           buttonPanel.removeAll();
@@ -1202,13 +1336,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
                   int selectionIdx = lsm.getMinSelectionIndex();
                   if (selectionIdx >= 0) {
                     final HashDataInput selection = signedReferences.get(selectionIdx);
-                    showHashDataViewer(selection, new ActionListener() {
-
-                      @Override
-                      public void actionPerformed(ActionEvent e) {
-                        showSaveHashDataInputDialog(Collections.singletonList(selection), null, null);
-                      }
-                    }, "save");
+                    showSecureViewer(selection);
                   }
                 }
               });
@@ -1255,9 +1383,8 @@ public class BKUGUIImpl implements BKUGUIFacade {
           buttonPanel.setLayout(buttonPanelLayout);
 
           buttonPanelLayout.setHorizontalGroup(buttonPanelLayout.createSequentialGroup()
-                  .addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
                   .addComponent(backButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE));
-          buttonPanelLayout.setVerticalGroup(buttonPanelLayout.createParallelGroup(GroupLayout.Alignment.BASELINE)
+          buttonPanelLayout.setVerticalGroup(buttonPanelLayout.createSequentialGroup()
                   .addComponent(backButton));
 
           contentPanel.validate();
@@ -1266,96 +1393,101 @@ public class BKUGUIImpl implements BKUGUIFacade {
     }
     
     /**
-     * 
-     * @param signedRefs
      * @param okListener may be null
-     * @param okCommand
      */
-    private void showSaveHashDataInputDialog(final List<HashDataInput> signedRefs, final ActionListener okListener, final String okCommand) {
-      
-      log.debug("scheduling save hashdatainput dialog");
-      
-      SwingUtilities.invokeLater(new Runnable() {
+//    private void showSaveDialog(final List<HashDataInput> signedRefs,
+//            final ActionListener okListener, final String okCommand) {
+//
+//      log.debug("scheduling save dialog");
+//
+//      SwingUtilities.invokeLater(new Runnable() {
+//
+//        @Override
+//        public void run() {
+//
+//          log.debug("show save dialog");
+//
+//          String userHome = System.getProperty("user.home");
+//
+//          JFileChooser fileDialog = new JFileChooser(userHome);
+//          fileDialog.setMultiSelectionEnabled(false);
+//          fileDialog.setDialogType(JFileChooser.SAVE_DIALOG);
+//          fileDialog.setFileHidingEnabled(true);
+//          if (signedRefs.size() == 1) {
+//            fileDialog.setDialogTitle(getMessage(WINDOWTITLE_SAVE));
+//            fileDialog.setFileSelectionMode(JFileChooser.FILES_ONLY);
+//            String mimeType = signedRefs.get(0).getMimeType();
+//            MimeFilter mimeFilter = new MimeFilter(mimeType, messages);
+//            fileDialog.setFileFilter(mimeFilter);
+//            String filename = getMessage(SAVE_HASHDATAINPUT_PREFIX) + MimeFilter.getExtension(mimeType);
+//            fileDialog.setSelectedFile(new File(userHome, filename));
+//          } else {
+//            fileDialog.setDialogTitle(getMessage(WINDOWTITLE_SAVEDIR));
+//            fileDialog.setFileSelectionMode(JFileChooser.DIRECTORIES_ONLY);
+//          }
+//
+//          //parent contentPane -> placed over applet
+//          switch (fileDialog.showSaveDialog(fileDialog)) {
+//            case JFileChooser.APPROVE_OPTION:
+//              File f = fileDialog.getSelectedFile();
+//              for (HashDataInput hashDataInput : signedRefs) {
+//                String mimeType = hashDataInput.getMimeType();
+//                String id = hashDataInput.getReferenceId();
+//                File file;
+//                if (f.isDirectory()) {
+//                  String filename = getMessage(SAVE_HASHDATAINPUT_PREFIX) + '_' + id + MimeFilter.getExtension(mimeType);
+//                  file = new File(f, filename);
+//                } else {
+//                  file = f;
+//                }
+//                if (file.exists()) {
+//                  String ovrwrt = getMessage(MESSAGE_OVERWRITE);
+//                  int overwrite = JOptionPane.showConfirmDialog(fileDialog, MessageFormat.format(ovrwrt, file), getMessage(WINDOWTITLE_OVERWRITE), JOptionPane.OK_CANCEL_OPTION);
+//                  if (overwrite != JOptionPane.OK_OPTION) {
+//                    continue;
+//                  }
+//                }
+//                if (log.isDebugEnabled()) {
+//                    log.debug("writing hashdata input " + id + " (" + mimeType + ") to file " + file);
+//                }
+//                FileOutputStream fos = null;
+//                try {
+//                    fos = new FileOutputStream(file);
+//                    BufferedOutputStream bos = new BufferedOutputStream(fos);
+//                    InputStream hdi = hashDataInput.getHashDataInput();
+//                    int b;
+//                    while ((b = hdi.read()) != -1) {
+//                        bos.write(b);
+//                    }
+//                    bos.flush();
+//                    bos.close();
+//                } catch (IOException ex) {
+//                    log.error("Failed to write " + file + ": " + ex.getMessage());
+//                    showErrorDialog(ERR_WRITE_HASHDATA, new Object[] {ex.getMessage()}, null, null);
+//                    ex.printStackTrace();
+//                } finally {
+//                    try {
+//                        fos.close();
+//                    } catch (IOException ex) {
+//                    }
+//                }
+//              }
+//              break;
+//            case JFileChooser.CANCEL_OPTION :
+//              log.debug("cancelled save dialog");
+//              break;
+//          }
+//          if (okListener != null) {
+//            okListener.actionPerformed(new ActionEvent(fileDialog, ActionEvent.ACTION_PERFORMED, okCommand));
+//          }
+//        }
+//      });
+//    }
+
+    ////////////////////////////////////////////////////////////////////////////
+    // UTILITY METHODS
+    ////////////////////////////////////////////////////////////////////////////
 
-        @Override
-        public void run() {
-          
-          log.debug("show save hashdatainput dialog");
-      
-          String userHome = System.getProperty("user.home");
-          
-          JFileChooser fileDialog = new JFileChooser(userHome); 
-          fileDialog.setMultiSelectionEnabled(false);
-          fileDialog.setDialogType(JFileChooser.SAVE_DIALOG);
-          fileDialog.setFileHidingEnabled(true);
-          if (signedRefs.size() == 1) {
-            fileDialog.setDialogTitle(getMessage(WINDOWTITLE_SAVE));
-            fileDialog.setFileSelectionMode(JFileChooser.FILES_ONLY);
-            String mimeType = signedRefs.get(0).getMimeType();
-            MimeFilter mimeFilter = new MimeFilter(mimeType, messages);
-            fileDialog.setFileFilter(mimeFilter);
-            String filename = getMessage(SAVE_HASHDATAINPUT_PREFIX) + MimeFilter.getExtension(mimeType);
-            fileDialog.setSelectedFile(new File(userHome, filename));
-          } else {
-            fileDialog.setDialogTitle(getMessage(WINDOWTITLE_SAVEDIR));
-            fileDialog.setFileSelectionMode(JFileChooser.DIRECTORIES_ONLY);
-          }
-          
-          //parent contentPane -> placed over applet
-          switch (fileDialog.showSaveDialog(fileDialog)) {
-            case JFileChooser.APPROVE_OPTION:
-              File f = fileDialog.getSelectedFile();
-              for (HashDataInput hashDataInput : signedRefs) {
-                String mimeType = hashDataInput.getMimeType();
-                String id = hashDataInput.getReferenceId();
-                File file;
-                if (f.isDirectory()) {
-                  String filename = getMessage(SAVE_HASHDATAINPUT_PREFIX) + '_' + id + MimeFilter.getExtension(mimeType);
-                  file = new File(f, filename);
-                } else {
-                  file = f;
-                }
-                if (file.exists()) {
-                  String ovrwrt = getMessage(MESSAGE_OVERWRITE);
-                  int overwrite = JOptionPane.showConfirmDialog(fileDialog, MessageFormat.format(ovrwrt, file), getMessage(WINDOWTITLE_OVERWRITE), JOptionPane.OK_CANCEL_OPTION);
-                  if (overwrite != JOptionPane.OK_OPTION) {
-                    continue;
-                  }
-                }
-                if (log.isDebugEnabled()) {
-                    log.debug("Writing HashDataInput " + id + " (" + mimeType + ") to file " + file);
-                }
-                FileOutputStream fos = null;
-                try {
-                    fos = new FileOutputStream(file);
-                    BufferedOutputStream bos = new BufferedOutputStream(fos);
-                    InputStream hdi = hashDataInput.getHashDataInput();
-                    int b;
-                    while ((b = hdi.read()) != -1) {
-                        bos.write(b);
-                    }
-                    bos.flush();
-                    bos.close();
-                } catch (IOException ex) {
-                    log.error("Failed to write HashDataInput to file " + file + ": " + ex.getMessage());
-                    showErrorDialog(ERR_WRITE_HASHDATA, new Object[] {ex.getMessage()}, null, null);
-                    ex.printStackTrace();
-                } finally {
-                    try {
-                        fos.close();
-                    } catch (IOException ex) {
-                    }
-                }    
-              }  
-          }
-          log.debug("done saving hashdatainput");
-          if (okListener != null) {
-            okListener.actionPerformed(new ActionEvent(fileDialog, ActionEvent.ACTION_PERFORMED, okCommand));
-          }
-        }
-      });
-    }
-    
     private void registerHelpListener(ActionListener helpListener) {
       if (helpListener != null) {
         this.helpListener = new HelpMouseListener(helpListener);
@@ -1371,6 +1503,11 @@ public class BKUGUIImpl implements BKUGUIFacade {
       }
     }
 
+
+    ////////////////////////////////////////////////////////////////////////////
+    // INITIALIZERS (MAY BE OVERRIDDEN BY SUBCLASSES)
+    ////////////////////////////////////////////////////////////////////////////
+
     /**
      * Called from constructor.
      * Subclasses may override this method to ensure the message bundle is loaded
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/HashDataViewer.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/HashDataViewer.java
deleted file mode 100644
index 6c097b2a..00000000
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/HashDataViewer.java
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *     http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package at.gv.egiz.bku.gui;
-
-import at.gv.egiz.bku.gui.html.RestrictedHTMLEditorKit;
-import at.gv.egiz.stal.HashDataInput;
-import java.awt.Component;
-import java.awt.Container;
-import java.awt.Cursor;
-import java.awt.Dimension;
-import java.awt.Font;
-import java.awt.Frame;
-import java.awt.event.ActionEvent;
-import java.awt.event.ActionListener;
-import java.awt.event.MouseAdapter;
-import java.awt.event.MouseEvent;
-import java.io.BufferedReader;
-import java.io.InputStreamReader;
-import java.io.Reader;
-import java.nio.charset.Charset;
-import java.text.MessageFormat;
-import java.util.ResourceBundle;
-import javax.swing.GroupLayout;
-import javax.swing.ImageIcon;
-import javax.swing.JButton;
-import javax.swing.JDialog;
-import javax.swing.JEditorPane;
-import javax.swing.JLabel;
-import javax.swing.JOptionPane;
-import javax.swing.JPanel;
-import javax.swing.JScrollPane;
-import javax.swing.LayoutStyle;
-import javax.swing.text.Document;
-import javax.swing.text.EditorKit;
-import javax.swing.text.StyledEditorKit;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-/**
- *
- * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
- */
-public class HashDataViewer extends JDialog
-        implements ActionListener {
-
-  public static final String PLAINTEXT_FONT = "Monospaced";
-  protected static final Log log = LogFactory.getLog(HashDataViewer.class);
-
-  private static HashDataViewer dialog;
-  
-  protected ResourceBundle messages;
-  
-  /**
-   * 
-   * @param signedReferences currently, only one hashdata input (the first in the list) is displayed
-   */
-  public static void showHashDataInput(HashDataInput hashDataInput,
-          ResourceBundle messages,
-          ActionListener saveListener,
-          String saveCommand,
-          ActionListener helpListener) {
-    showHashDataInput(null, hashDataInput, messages, saveListener, saveCommand, helpListener);
-  }
-  
-  /**
-   * 
-   * @param frameComp owner
-   */
-  public static void showHashDataInput(Component frameComp,
-          HashDataInput hashDataInput,
-          ResourceBundle messages,
-          ActionListener saveListener,
-          String saveCommand,
-          ActionListener helpListener) {
-    
-    Frame frame = null;
-    if (frameComp != null) {
-      JOptionPane.getFrameForComponent(frameComp);
-    }
-    dialog = new HashDataViewer(frame, 
-            messages,
-            hashDataInput, 
-            saveListener, 
-            saveCommand, 
-            helpListener);
-    dialog.setVisible(true);
-  }
-
-  private HashDataViewer(Frame frame,
-          ResourceBundle messages,
-          HashDataInput hashDataInput,
-          ActionListener saveListener,
-          String saveCommand,
-          ActionListener helpListener) {
-    super(frame, messages.getString(BKUGUIFacade.WINDOWTITLE_VIEWER), true);
-    this.messages = messages;
-
-    Charset cs;
-    if (hashDataInput.getEncoding() == null) {
-      cs = Charset.forName("UTF-8");
-    } else {
-      try {
-        cs = Charset.forName(hashDataInput.getEncoding());
-      } catch (Exception ex) {
-        log.debug("charset " + hashDataInput.getEncoding() + " not supported, assuming UTF-8: " + ex.getMessage());
-        cs = Charset.forName("UTF-8");
-      }  
-    }
-    
-    
-    InputStreamReader isr = new InputStreamReader(hashDataInput.getHashDataInput(), cs);
-    Reader content = new BufferedReader(isr);
-  
-    JPanel hashDataPanel = createViewerPanel(content, 
-            hashDataInput.getMimeType(), 
-            helpListener);
-    JPanel buttonPanel = createButtonPanel(saveListener, saveCommand);
-    initContentPane(new Dimension(600, 400), hashDataPanel, buttonPanel);
-
-    pack();
-    if (frame != null) {
-      setLocationRelativeTo(frame);
-    } else {
-      setLocationByPlatform(true);
-    }
-  }
-
-  private void initContentPane(Dimension preferredSize, JPanel viewerPanel, JPanel buttonPanel) {
-    Container contentPane = getContentPane();
-    contentPane.setPreferredSize(preferredSize);
-
-    GroupLayout mainLayout = new GroupLayout(contentPane);
-    contentPane.setLayout(mainLayout);
-
-    mainLayout.setHorizontalGroup(
-            mainLayout.createSequentialGroup().addContainerGap().addGroup(
-            mainLayout.createParallelGroup(GroupLayout.Alignment.LEADING).addComponent(viewerPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE).addComponent(buttonPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)).addContainerGap());
-    mainLayout.setVerticalGroup(
-            mainLayout.createSequentialGroup()
-              .addContainerGap()
-              .addComponent(viewerPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
-              .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED)
-              .addComponent(buttonPanel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
-              .addContainerGap());
-  }
-
-  /**
-   * 
-   * @param messages
-   * @param content
-   * @param mimeType defaults to text/plain if null 
-   * @param encoding must be null if document contains charset declaration (e.g. HTML page), otherwise the parser crashes
-   * @param helpListener may be null
-   * @return
-   */
-  private JPanel createViewerPanel(Reader content, 
-          String mimeType, 
-          final ActionListener helpListener) {
-
-    if (mimeType == null) {
-      mimeType = "text/plain";
-    }
-    log.debug("viewer dialog: " + mimeType);
-
-    JEditorPane viewer = new JEditorPane();
-    viewer.setEditable(false);
-    viewer.setContentType(mimeType);
-    
-    if ("text/plain".equals(mimeType)) {
-      viewer.setEditorKit(new StyledEditorKit());
-      viewer.setFont(new Font(PLAINTEXT_FONT, viewer.getFont().getStyle(), viewer.getFont().getSize()));
-//    } else if ("text/html".equals(mimeType)) {
-//      viewer.setEditorKit(new RestrictedHTMLEditorKit());
-    } else if ("application/xhtml+xml".equals(mimeType)) {
-      viewer.setContentType("text/html");
-    }
-    
-    EditorKit editorKit = viewer.getEditorKit();
-    Document document = editorKit.createDefaultDocument();
-//    document.putProperty("IgnoreCharsetDirective", new Boolean(true));
-    
-    try {
-        viewer.read(content, document);
-        content.close();
-    } catch (Exception ex) {
-      log.error(ex.getMessage(), ex);
-      String p = messages.getString(BKUGUIFacade.ERR_VIEWER);
-      viewer.setText(MessageFormat.format(p, ex.getMessage()));
-    }
-
-    JScrollPane scrollPane = new JScrollPane(viewer);
-    scrollPane.setPreferredSize(viewer.getPreferredSize());
-    scrollPane.setAlignmentX(LEFT_ALIGNMENT);
-    viewer.setCaretPosition(0);
-
-    JPanel viewerPanel = new JPanel();
-    GroupLayout viewerPanelLayout = new GroupLayout(viewerPanel);
-    viewerPanel.setLayout(viewerPanelLayout);
-
-    GroupLayout.SequentialGroup infoHorizontal = viewerPanelLayout.createSequentialGroup();
-    GroupLayout.ParallelGroup infoVertical = viewerPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING);
-
-    if ("application/xhtml+xml".equals(mimeType)) {
-      JLabel viewerLabel = new JLabel();
-      viewerLabel.setText(messages.getString(BKUGUIFacade.WARNING_XHTML));
-      viewerLabel.setFont(viewerLabel.getFont().deriveFont(viewerLabel.getFont().getStyle() | java.awt.Font.BOLD));
-      viewerLabel.setLabelFor(viewer);
-
-      infoHorizontal.addComponent(viewerLabel);
-      infoVertical.addComponent(viewerLabel);
-    }
-
-    if (helpListener != null) {
-      JLabel helpLabel = new JLabel();
-      helpLabel.setIcon(new ImageIcon(getClass().getResource(BKUGUIFacade.HELP_IMG)));
-      helpLabel.getAccessibleContext().setAccessibleName(messages.getString(BKUGUIFacade.ALT_HELP));
-      helpLabel.addMouseListener(new MouseAdapter() {
-
-        @Override
-        public void mouseClicked(MouseEvent arg0) {
-            ActionEvent e = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, BKUGUIFacade.HELP_HASHDATAVIEWER);
-            helpListener.actionPerformed(e);
-        }
-      });
-      helpLabel.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
-
-      infoHorizontal
-              .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
-              .addComponent(helpLabel);
-      infoVertical
-              .addComponent(helpLabel);
-    }
-
-    viewerPanelLayout.setHorizontalGroup(
-          viewerPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
-            .addGroup(infoHorizontal)
-            .addComponent(scrollPane));
-    viewerPanelLayout.setVerticalGroup(
-          viewerPanelLayout.createSequentialGroup()
-            .addGroup(infoVertical)
-            .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
-            .addComponent(scrollPane));
-
-    
-    return viewerPanel;
-  }
-  
-  private JPanel createButtonPanel(ActionListener saveListener, String saveCommand) {
-    JButton closeButton = new JButton();
-    closeButton.setText(messages.getString(BKUGUIFacade.BUTTON_CLOSE));
-    closeButton.addActionListener(this);
-
-    JButton saveButton = new JButton();
-    saveButton.setText(messages.getString(BKUGUIFacade.BUTTON_SAVE));
-    saveButton.setActionCommand(saveCommand);
-    saveButton.addActionListener(saveListener);
-
-    int buttonSize = closeButton.getPreferredSize().width;
-    if (saveButton.getPreferredSize().width > buttonSize) {
-      buttonSize = saveButton.getPreferredSize().width;
-    }
-
-    JPanel buttonPanel = new JPanel();
-    GroupLayout buttonPanelLayout = new GroupLayout(buttonPanel);
-    buttonPanel.setLayout(buttonPanelLayout);
-
-    buttonPanelLayout.setHorizontalGroup(
-            buttonPanelLayout.createSequentialGroup().addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE).addComponent(saveButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE).addPreferredGap(LayoutStyle.ComponentPlacement.RELATED).addComponent(closeButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE));
-    buttonPanelLayout.setVerticalGroup(
-            buttonPanelLayout.createParallelGroup(GroupLayout.Alignment.BASELINE).addComponent(saveButton).addComponent(closeButton));
-
-    return buttonPanel;
-  }
-
-  @Override
-  public void actionPerformed(ActionEvent e) {
-    HashDataViewer.dialog.setVisible(false);
-  }
-}
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/SecureViewerDialog.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/SecureViewerDialog.java
new file mode 100644
index 00000000..6a16306b
--- /dev/null
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/SecureViewerDialog.java
@@ -0,0 +1,371 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.gui;
+
+import at.gv.egiz.stal.HashDataInput;
+import java.awt.Container;
+import java.awt.Cursor;
+import java.awt.Dimension;
+import java.awt.Font;
+import java.awt.Frame;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.awt.event.MouseAdapter;
+import java.awt.event.MouseEvent;
+import java.io.BufferedOutputStream;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.nio.charset.Charset;
+import java.text.MessageFormat;
+import java.util.ResourceBundle;
+import javax.swing.GroupLayout;
+import javax.swing.ImageIcon;
+import javax.swing.JButton;
+import javax.swing.JDialog;
+import javax.swing.JEditorPane;
+import javax.swing.JFileChooser;
+import javax.swing.JLabel;
+import javax.swing.JOptionPane;
+import javax.swing.JPanel;
+import javax.swing.JScrollPane;
+import javax.swing.LayoutStyle;
+import javax.swing.SwingUtilities;
+import javax.swing.text.Document;
+import javax.swing.text.EditorKit;
+import javax.swing.text.StyledEditorKit;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class SecureViewerDialog extends JDialog implements ActionListener {
+
+  public static final String PLAINTEXT_FONT = "Monospaced";
+  public static final Dimension VIEWER_DIMENSION = new Dimension(600, 400);
+  protected static final Log log = LogFactory.getLog(SecureViewerDialog.class);
+
+//  private static SecureViewerDialog dialog;
+  protected ResourceBundle messages;
+  protected JEditorPane viewer;
+  protected JLabel viewerLabel;
+  protected JScrollPane scrollPane;
+  protected HashDataInput content; //remember for save dialog
+
+  /**
+   * Create and display a modal SecureViewer dialog.
+   * This method blocks until the dialog's close button is pressed.
+   * 
+   * @param owner, dialog is positioned relative to its owner
+   * (if null, at default location of native windowing system)
+   */
+//  public static void showDataToBeSigned(HashDataInput dataToBeSigned,
+//          ResourceBundle messages,
+//          ActionListener saveListener, String saveCommand,
+//          ActionListener helpListener) {
+//
+////      Frame ownerFrame = (owner != null) ?
+////        JOptionPane.getFrameForComponent(owner) :
+////        null;
+//    dialog = new SecureViewerDialog(null, messages,
+//            saveListener, saveCommand, helpListener);
+//    dialog.setContent(dataToBeSigned);
+//    dialog.setVisible(true);
+//  }
+  public SecureViewerDialog(Frame owner, ResourceBundle messages,
+//          ActionListener saveListener, String saveCommand,
+          ActionListener helpListener) {
+    super(owner, messages.getString(BKUGUIFacade.WINDOWTITLE_VIEWER), true);
+    this.messages = messages;
+
+    initContentPane(VIEWER_DIMENSION,
+            createViewerPanel(helpListener),
+            createButtonPanel()); //saveListener, saveCommand));
+
+    pack();
+    if (owner != null) {
+      setLocationRelativeTo(owner);
+    } else {
+      setLocationByPlatform(true);
+    }
+  }
+
+  private void initContentPane(Dimension preferredSize,
+          JPanel viewerPanel, JPanel buttonPanel) {
+    Container contentPane = getContentPane();
+    contentPane.setPreferredSize(preferredSize);
+
+    GroupLayout mainLayout = new GroupLayout(contentPane);
+    contentPane.setLayout(mainLayout);
+
+    mainLayout.setHorizontalGroup(
+            mainLayout.createSequentialGroup().addContainerGap().addGroup(
+            mainLayout.createParallelGroup(GroupLayout.Alignment.LEADING).addComponent(viewerPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE).addComponent(buttonPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)).addContainerGap());
+    mainLayout.setVerticalGroup(
+            mainLayout.createSequentialGroup().addContainerGap().addComponent(viewerPanel, 0, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE).addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED).addComponent(buttonPanel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE).addContainerGap());
+  }
+
+  /**
+   * @param helpListener may be null
+   */
+  private JPanel createViewerPanel(final ActionListener helpListener) {
+    viewer = new JEditorPane();
+    viewer.setEditable(false);
+
+    scrollPane = new JScrollPane();
+
+    JPanel viewerPanel = new JPanel();
+    GroupLayout viewerPanelLayout = new GroupLayout(viewerPanel);
+    viewerPanel.setLayout(viewerPanelLayout);
+
+    GroupLayout.SequentialGroup infoHorizontal = viewerPanelLayout.createSequentialGroup();
+    GroupLayout.ParallelGroup infoVertical = viewerPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING);
+
+    viewerLabel = new JLabel();
+    viewerLabel.setFont(viewerLabel.getFont().deriveFont(viewerLabel.getFont().getStyle() | java.awt.Font.BOLD));
+//    viewerLabel.setLabelFor(viewer);
+
+    infoHorizontal.addComponent(viewerLabel);
+    infoVertical.addComponent(viewerLabel);
+
+    if (helpListener != null) {
+      JLabel helpLabel = new JLabel();
+      helpLabel.setIcon(new ImageIcon(getClass().getResource(BKUGUIFacade.HELP_IMG)));
+      helpLabel.getAccessibleContext().setAccessibleName(messages.getString(BKUGUIFacade.ALT_HELP));
+      helpLabel.addMouseListener(new MouseAdapter() {
+
+        @Override
+        public void mouseClicked(MouseEvent arg0) {
+          ActionEvent e = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, BKUGUIFacade.HELP_HASHDATAVIEWER);
+          helpListener.actionPerformed(e);
+        }
+      });
+      helpLabel.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
+
+      infoHorizontal.addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE).addComponent(helpLabel);
+      infoVertical.addComponent(helpLabel);
+    }
+
+    viewerPanelLayout.setHorizontalGroup(
+            viewerPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING).addGroup(infoHorizontal).addComponent(scrollPane));
+    viewerPanelLayout.setVerticalGroup(
+            viewerPanelLayout.createSequentialGroup().addGroup(infoVertical).addPreferredGap(LayoutStyle.ComponentPlacement.RELATED).addComponent(scrollPane));
+
+    return viewerPanel;
+  }
+
+  /**
+   * Sets the hashdataInput to be displayed and makes the dialog visible.
+   * This method blocks until the dialog's close button is pressed.
+   * 
+   * @param mimeType defaults to text/plain if null
+   * @param encoding must be null if document contains charset declaration (e.g. HTML page), otherwise the parser crashes
+
+   * @param hashDataInput
+   */
+  public void setContent(HashDataInput hashDataInput) {
+
+    this.content = null;
+
+    String mimeType = hashDataInput.getMimeType();
+    if (mimeType == null) {
+      mimeType = "text/plain";
+    }
+    log.debug("secure viewer mime type: " + mimeType);
+    // loads editorkit for text/plain if unrecognized
+    viewer.setContentType(mimeType);
+
+    if ("text/plain".equals(mimeType)) {
+      viewer.setEditorKit(new StyledEditorKit());
+      viewer.setFont(new Font(PLAINTEXT_FONT, viewer.getFont().getStyle(), viewer.getFont().getSize()));
+//    } else if ("text/html".equals(mimeType)) {
+//      viewer.setEditorKit(new RestrictedHTMLEditorKit());
+    } else if ("application/xhtml+xml".equals(mimeType)) {
+      viewer.setContentType("text/html");
+    }
+
+    EditorKit editorKit = viewer.getEditorKit();
+    Document document = editorKit.createDefaultDocument();
+//    document.putProperty("IgnoreCharsetDirective", new Boolean(true));
+
+    try {
+      Charset cs = (hashDataInput.getEncoding() == null) ? Charset.forName("UTF-8") : Charset.forName(hashDataInput.getEncoding());
+      log.debug("secure viewer encoding: " + cs.toString());
+
+      InputStreamReader isr = new InputStreamReader(hashDataInput.getHashDataInput(), cs);
+      Reader contentReader = new BufferedReader(isr);
+      viewer.read(contentReader, document);
+      contentReader.close();
+
+      this.content = hashDataInput;
+
+//    } catch (IllegalCharsetNameException ex) {
+//    } catch (UnsupportedCharsetException ex) {
+    } catch (Exception ex) {
+      log.error(ex.getMessage(), ex);
+      String p = messages.getString(BKUGUIFacade.ERR_VIEWER);
+      viewer.setText(MessageFormat.format(p, ex.getMessage()));
+    }
+    viewer.setCaretPosition(0);
+
+    scrollPane.setViewportView(viewer);
+    scrollPane.setPreferredSize(viewer.getPreferredSize());
+    scrollPane.setAlignmentX(LEFT_ALIGNMENT);
+
+    if ("application/xhtml+xml".equals(mimeType)) {
+      viewerLabel.setText(messages.getString(BKUGUIFacade.WARNING_XHTML));
+    } else {
+      viewerLabel.setText("");
+    }
+
+    setVisible(true);
+  }
+
+  private JPanel createButtonPanel() { //ActionListener saveListener, String saveCommand) {
+    JButton closeButton = new JButton();
+    closeButton.setText(messages.getString(BKUGUIFacade.BUTTON_CLOSE));
+    closeButton.setActionCommand("close");
+    closeButton.addActionListener(this);
+    
+    JButton saveButton = new JButton();
+    saveButton.setText(messages.getString(BKUGUIFacade.BUTTON_SAVE));
+    saveButton.setActionCommand("save");
+    saveButton.addActionListener(this);
+
+    int buttonSize = closeButton.getPreferredSize().width;
+    if (saveButton.getPreferredSize().width > buttonSize) {
+      buttonSize = saveButton.getPreferredSize().width;
+    }
+
+    JPanel buttonPanel = new JPanel();
+    GroupLayout buttonPanelLayout = new GroupLayout(buttonPanel);
+    buttonPanel.setLayout(buttonPanelLayout);
+
+    buttonPanelLayout.setHorizontalGroup(
+            buttonPanelLayout.createSequentialGroup().addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE).addComponent(saveButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE).addPreferredGap(LayoutStyle.ComponentPlacement.RELATED).addComponent(closeButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE));
+    buttonPanelLayout.setVerticalGroup(
+            buttonPanelLayout.createParallelGroup(GroupLayout.Alignment.BASELINE).addComponent(saveButton).addComponent(closeButton));
+
+    return buttonPanel;
+  }
+
+  @Override
+  public void actionPerformed(ActionEvent e) {
+    if ("close".equals(e.getActionCommand())) {
+//    SecureViewerDialog.dialog.setVisible(false);
+      log.trace("closing secure viewer");
+      setVisible(false);
+      log.trace("secure viewer closed");
+    } else if ("save".equals(e.getActionCommand())) {
+      log.trace("display secure viewer save dialog");
+      showSaveDialog(content, null, null);
+      log.trace("done secure viewer save");
+    } else {
+      log.warn("unknown action command " + e.getActionCommand());
+    }
+  }
+
+  private void showSaveDialog(final HashDataInput hashDataInput,
+          final ActionListener okListener, final String okCommand) {
+
+    log.debug("scheduling save dialog [" + Thread.currentThread().getName() + "]");
+
+    SwingUtilities.invokeLater(new Runnable() {
+
+      @Override
+      public void run() {
+
+        log.debug("show save dialog [" + Thread.currentThread().getName() + "]");
+
+        String userHome = System.getProperty("user.home");
+
+        JFileChooser fileDialog = new JFileChooser(userHome);
+        fileDialog.setMultiSelectionEnabled(false);
+        fileDialog.setDialogType(JFileChooser.SAVE_DIALOG);
+        fileDialog.setFileHidingEnabled(true);
+        fileDialog.setDialogTitle(messages.getString(BKUGUIFacade.WINDOWTITLE_SAVE));
+        fileDialog.setFileSelectionMode(JFileChooser.FILES_ONLY);
+        String mimeType = hashDataInput.getMimeType();
+        MimeFilter mimeFilter = new MimeFilter(mimeType, messages);
+        fileDialog.setFileFilter(mimeFilter);
+        String filename = messages.getString(BKUGUIFacade.SAVE_HASHDATAINPUT_PREFIX) +
+                MimeFilter.getExtension(mimeType);
+        fileDialog.setSelectedFile(new File(userHome, filename));
+
+        //parent contentPane -> placed over applet
+        switch (fileDialog.showSaveDialog(fileDialog)) {
+          case JFileChooser.APPROVE_OPTION:
+            File file = fileDialog.getSelectedFile();
+            String id = hashDataInput.getReferenceId();
+            if (file.exists()) {
+              String msgPattern = messages.getString(BKUGUIFacade.MESSAGE_OVERWRITE);
+              int overwrite = JOptionPane.showConfirmDialog(fileDialog,
+                      MessageFormat.format(msgPattern, file),
+                      messages.getString(BKUGUIFacade.WINDOWTITLE_OVERWRITE),
+                      JOptionPane.OK_CANCEL_OPTION);
+              if (overwrite != JOptionPane.OK_OPTION) {
+                return;
+              }
+            }
+            if (log.isDebugEnabled()) {
+              log.debug("writing hashdata input " + id + " (" + mimeType + ") to file " + file);
+            }
+            FileOutputStream fos = null;
+            try {
+              fos = new FileOutputStream(file);
+              BufferedOutputStream bos = new BufferedOutputStream(fos);
+              InputStream hdi = hashDataInput.getHashDataInput();
+              int b;
+              while ((b = hdi.read()) != -1) {
+                bos.write(b);
+              }
+              bos.flush();
+              bos.close();
+            } catch (IOException ex) {
+              log.error("Failed to write " + file + ": " + ex.getMessage());
+              log.debug(ex);
+              String errPattern = messages.getString(BKUGUIFacade.ERR_WRITE_HASHDATA);
+              JOptionPane.showMessageDialog(fileDialog,
+                      MessageFormat.format(errPattern, ex.getMessage()),
+                      messages.getString(BKUGUIFacade.WINDOWTITLE_ERROR),
+                      JOptionPane.ERROR_MESSAGE);
+            } finally {
+              try {
+                if (fos != null) {
+                  fos.close();
+                }
+              } catch (IOException ex) {
+              }
+            }
+            break;
+          case JFileChooser.CANCEL_OPTION:
+            log.debug("cancelled save dialog");
+            break;
+        }
+        if (okListener != null) {
+          okListener.actionPerformed(new ActionEvent(fileDialog, ActionEvent.ACTION_PERFORMED, okCommand));
+        }
+      }
+    });
+  }
+}
diff --git a/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages.properties b/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages.properties
index 6d651b2d..9bfe8fb1 100644
--- a/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages.properties
+++ b/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages.properties
@@ -25,6 +25,7 @@ title.retry=<html>Falsche PIN</html>
 title.wait=<html>Bitte warten</html>
 title.hashdata=<html>Signaturdaten</html>
 windowtitle.save=Signaturdaten speichern
+windowtitle.error=Fehler
 windowtitle.savedir=Signaturdaten in Verzeichnis speichern
 windowtitle.overwrite=Datei \u00FCberschreiben?
 windowtitle.viewer=Signaturdaten
@@ -79,7 +80,7 @@ error.unknown.param=<html>Ein Fehler trat auf: {0}</html>
 error.unknown=<html>Ein Fehler trat auf</html>
 error.test=<html>Fehler1 {0} - Fehler2 {1}</html>
 error.card.locked=<html>B\u00FCrgerkarte ist gesperrt</html>
-error.card.notactivated=<html>B\u00FCrgerkartenfunktion ist nicht aktiviert</html>
+error.card.notactivated=<html>Die B\u00FCrgerkarte ist nicht aktiviert</html>
 error.pin.timeout=<html>Zeit\u00FCberschreitung bei Eingabe der PIN</html>
 error.viewer=Der Inhalt kann nicht dargestellt werden: {0}
 error.external.link=<html>Externer Link {0} wird nicht ge\u00F6ffnet</html>
diff --git a/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages_en.properties b/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages_en.properties
index 2fb66969..a36f9b83 100644
--- a/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages_en.properties
+++ b/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages_en.properties
@@ -25,6 +25,7 @@ title.retry=<html>Wrong PIN</html>
 title.wait=<html>Please wait</html>
 title.hashdata=<html>Signature data</html>
 windowtitle.save=Save signature data
+windowtitle.error=Error
 windowtitle.savedir=Save signature data to directory
 windowtitle.overwrite=Overwrite file?
 windowtitle.viewer=Signature data
diff --git a/BKUCommonGUI/src/main/resources/images/ChipperlingLogo.png b/BKUCommonGUI/src/main/resources/images/ChipperlingLogo.png
new file mode 100644
index 00000000..eee4be4f
Binary files /dev/null and b/BKUCommonGUI/src/main/resources/images/ChipperlingLogo.png differ
diff --git a/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUITest.java b/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUITest.java
index c8cff617..b3eaf8c7 100644
--- a/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUITest.java
+++ b/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUITest.java
@@ -39,8 +39,9 @@ public class BKUGUITest {
     public void testBKUGUI() {
         JFrame testFrame = new JFrame("BKUGUITest");
         Container contentPane = testFrame.getContentPane();
-        contentPane.setPreferredSize(new Dimension(170, 150));
-        BKUGUIFacade gui = new BKUGUIImpl(contentPane, null, BKUGUIFacade.Style.tiny, null, null);
+//        contentPane.setPreferredSize(new Dimension(170, 150));
+        contentPane.setPreferredSize(new Dimension(290, 190));
+        BKUGUIFacade gui = new BKUGUIImpl(contentPane, null, BKUGUIFacade.Style.advanced, null, null);
         BKUGUIWorker worker = new BKUGUIWorker();
         worker.init(gui);
         testFrame.pack();
diff --git a/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java b/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java
index 194e18b0..5475a45b 100644
--- a/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java
+++ b/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java
@@ -149,7 +149,9 @@ public class BKUGUIWorker implements Runnable {
 //            
 //            Thread.sleep(2000);
 //
-            gui.showSignaturePINDialog(signPinSpec, -1, signListener, "sign", cancelListener, "cancel", hashdataListener, "hashdata");
+//            gui.showSignaturePINDialog(signPinSpec, -1, signListener, "sign", cancelListener, "cancel", hashdataListener, "hashdata");
+
+    gui.showPinpadSignaturePINDialog(signPinSpec, -1, hashdataListener, "hashdata");
 //
 //            Thread.sleep(4000);
 //
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java
index 5a0ba84a..3f560967 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/BKUGuiProxy.java
@@ -144,4 +144,12 @@ public class BKUGuiProxy implements BKUGUIFacade {
     showDialog();
     delegate.showMessageDialog(titleKey, msgKey);
   }
+
+  @Override
+  public void showPinpadSignaturePINDialog(PINSpec pinSpec, int numRetries,
+          ActionListener viewerListener, String viewerCommand) {
+    showDialog();
+    delegate.showPinpadSignaturePINDialog(pinSpec, numRetries,
+            viewerListener, viewerCommand);
+  }
 }
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalBKUWorker.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalBKUWorker.java
index 61cc7c4c..a782de1a 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalBKUWorker.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalBKUWorker.java
@@ -37,7 +37,8 @@ public class LocalBKUWorker extends AbstractBKUWorker {
   public LocalBKUWorker(BKUGUIFacade gui, JDialog container) {
     super(gui);
     this.container = container;
-    addRequestHandler(SignRequest.class, new LocalSignRequestHandler());
+    addRequestHandler(SignRequest.class, 
+            new LocalSignRequestHandler(new LocalSecureViewer(gui)));
   }
 
   @Override
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalSecureViewer.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalSecureViewer.java
new file mode 100644
index 00000000..cbe5af7a
--- /dev/null
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalSecureViewer.java
@@ -0,0 +1,109 @@
+
+package at.gv.egiz.bku.local.stal;
+
+import at.gv.egiz.bku.slcommands.impl.DataObjectHashDataInput;
+import at.gv.egiz.bku.smccstal.SecureViewer;
+import java.io.IOException;
+import java.util.ArrayList;
+
+import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.stal.HashDataInput;
+import at.gv.egiz.stal.impl.ByteArrayHashDataInput;
+import at.gv.egiz.stal.signedinfo.ReferenceType;
+import at.gv.egiz.stal.signedinfo.SignedInfoType;
+import java.awt.event.ActionListener;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.util.Collections;
+import java.util.List;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class LocalSecureViewer implements SecureViewer {
+
+  private static final Log log = LogFactory.getLog(LocalSignRequestHandler.class);
+  private List<HashDataInput> hashDataInputs = Collections.EMPTY_LIST;
+
+  protected BKUGUIFacade gui;
+
+  public LocalSecureViewer(BKUGUIFacade gui) {
+    this.gui = gui;
+  }
+
+  public void setDataToBeSigned(List<HashDataInput> dataToBeSigned) {
+    this.hashDataInputs = dataToBeSigned;
+  }
+
+  /**
+   *
+   * @param dsigReferences
+   * @throws java.lang.Exception
+   */
+  @Override
+  public void displayDataToBeSigned(SignedInfoType signedInfo,
+          ActionListener okListener, String okCommand)
+          throws Exception {
+    if (signedInfo.getReference().size() == 0) {
+      log.error("No hashdata input selected to be displayed: null");
+      throw new Exception("No HashData Input selected to be displayed");
+    }
+
+    ArrayList<HashDataInput> selectedHashDataInputs = new ArrayList<HashDataInput>();
+    for (ReferenceType dsigRef : signedInfo.getReference()) {
+      // don't get Manifest, QualifyingProperties, ...
+      if (dsigRef.getType() == null) {
+        String dsigRefId = dsigRef.getId();
+        if (dsigRefId != null) {
+          boolean hdiAvailable = false;
+          for (HashDataInput hashDataInput : hashDataInputs) {
+            if (dsigRefId.equals(hashDataInput.getReferenceId())) {
+              log.debug("display hashdata input for dsig:SignedReference " +
+                      dsigRefId);
+              selectedHashDataInputs.add(
+                      ensureCachedHashDataInput(hashDataInput));
+              hdiAvailable = true;
+              break;
+            }
+          }
+          if (!hdiAvailable) {
+            log.error("no hashdata input for dsig:SignedReference " + dsigRefId);
+            throw new Exception(
+              "No HashDataInput available for dsig:SignedReference " + dsigRefId);
+          }
+        } else {
+          throw new Exception(
+            "Cannot get HashDataInput for dsig:Reference without Id attribute");
+        }
+      }
+    }
+
+    if (selectedHashDataInputs.size() < 1) {
+      log.error("dsig:SignedInfo does not contain a data reference");
+      throw new Exception("dsig:SignedInfo does not contain a data reference");
+    }
+    gui.showSecureViewer(selectedHashDataInputs, okListener, okCommand);
+  }
+
+
+  private HashDataInput ensureCachedHashDataInput(HashDataInput hashDataInput)
+          throws IOException {
+    if (!(hashDataInput instanceof DataObjectHashDataInput)) {
+      
+      log.warn("expected DataObjectHashDataInput for LocalSignRequestHandler, got " +
+              hashDataInput.getClass().getName());
+
+      InputStream hdIs = hashDataInput.getHashDataInput();
+      ByteArrayOutputStream baos = new ByteArrayOutputStream(hdIs.available());
+      int b;
+      while ((b = hdIs.read()) != -1) {
+        baos.write(b);
+      }
+      hashDataInput = new ByteArrayHashDataInput(baos.toByteArray(),
+              hashDataInput.getReferenceId(),
+              hashDataInput.getMimeType(),
+              hashDataInput.getEncoding());
+    }
+    return hashDataInput;
+  }
+
+}
diff --git a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalSignRequestHandler.java b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalSignRequestHandler.java
index 531e6591..492b8a05 100644
--- a/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalSignRequestHandler.java
+++ b/BKULocal/src/main/java/at/gv/egiz/bku/local/stal/LocalSignRequestHandler.java
@@ -16,9 +16,7 @@
  */
 package at.gv.egiz.bku.local.stal;
 
-import at.gv.egiz.bku.slcommands.impl.DataObjectHashDataInput;
-import java.io.IOException;
-import java.util.ArrayList;
+import at.gv.egiz.bku.smccstal.SecureViewer;
 import java.util.Collections;
 import java.util.List;
 
@@ -40,9 +38,16 @@ import java.io.InputStream;
  * @author clemens
  */
 public class LocalSignRequestHandler extends SignRequestHandler {
+//        implements SecureViewer {
 
   private static final Log log = LogFactory.getLog(LocalSignRequestHandler.class);
-  private List<HashDataInput> hashDataInputs = Collections.EMPTY_LIST;
+
+  protected LocalSecureViewer secureViewer;
+
+  public LocalSignRequestHandler(LocalSecureViewer secureViewer) {
+    super(secureViewer);
+  }
+
 
   /**
    * If the request is a SIGN request, it contains a list of DataObjectHashDataInput 
@@ -53,75 +58,13 @@ public class LocalSignRequestHandler extends SignRequestHandler {
    */
   @SuppressWarnings("unchecked")
   @Override
-  public STALResponse handleRequest(STALRequest request) throws InterruptedException {
+  public STALResponse handleRequest(STALRequest request) 
+          throws InterruptedException {
+    
     if (request instanceof SignRequest) {
       SignRequest signReq = (SignRequest) request;
-      hashDataInputs = signReq.getHashDataInput();
+      secureViewer.setDataToBeSigned(signReq.getHashDataInput());
     }
     return super.handleRequest(request);
   }
-
-  /**
-   * 
-   * @param dsigReferences
-   * @throws java.lang.Exception
-   */
-  @Override
-  public void displayDataToBeSigned(List<ReferenceType> dsigReferences) throws Exception {
-    if (dsigReferences == null || dsigReferences.size() < 1) {
-      log.error("No hashdata input selected to be displayed: null");
-      throw new Exception("No HashData Input selected to be displayed");
-    }
-
-    ArrayList<HashDataInput> selectedHashDataInputs = new ArrayList<HashDataInput>();
-    for (ReferenceType dsigRef : dsigReferences) {
-      // don't get Manifest, QualifyingProperties, ...
-      if (dsigRef.getType() == null) {
-        String dsigRefId = dsigRef.getId();
-        if (dsigRefId != null) {
-          boolean hdiAvailable = false;
-          for (HashDataInput hashDataInput : hashDataInputs) {
-            if (dsigRefId.equals(hashDataInput.getReferenceId())) {
-              log.debug("display hashdata input for dsig:SignedReference " + dsigRefId);
-              if (!(hashDataInput instanceof DataObjectHashDataInput)) {
-                log.warn(
-                  "expected DataObjectHashDataInput for LocalSignRequestHandler, got " + hashDataInput.getClass().getName());
-                hashDataInput = getByteArrayHashDataInput(hashDataInput);
-              }
-              selectedHashDataInputs.add(hashDataInput);
-              hdiAvailable = true;
-              break;
-            }
-          }
-          if (!hdiAvailable) {
-            log.error("no hashdata input for dsig:SignedReference " + dsigRefId);
-            throw new Exception(
-              "No HashDataInput available for dsig:SignedReference " + dsigRefId);
-          }
-        } else {
-          throw new Exception(
-            "Cannot get HashDataInput for dsig:Reference without Id attribute");
-        }
-      }
-    }
-
-    if (selectedHashDataInputs.size() < 1) {
-      log.error("dsig:SignedInfo does not contain a data reference");
-      throw new Exception("dsig:SignedInfo does not contain a data reference");
-    }
-    gui.showSecureViewer(selectedHashDataInputs, this, "hashDataDone");
-  }
-
-  private ByteArrayHashDataInput getByteArrayHashDataInput(HashDataInput hashDataInput) throws IOException {
-
-    InputStream hdIs = hashDataInput.getHashDataInput();
-    ByteArrayOutputStream baos = new ByteArrayOutputStream(hdIs.available());
-    int b;
-    while ((b = hdIs.read()) != -1) {
-      baos.write(b);
-    }
-    ByteArrayHashDataInput hdi = new ByteArrayHashDataInput(baos.toByteArray(), hashDataInput.getReferenceId(), hashDataInput.getMimeType(), hashDataInput.getEncoding());
-
-    return hdi;
-  }
 }
diff --git a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties
index e2f07481..04c9c7bf 100644
--- a/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties
+++ b/BKUOnline/src/main/resources/at/gv/egiz/bku/online/conf/defaultConf.properties
@@ -40,9 +40,12 @@ SSL.sslProtocol=TLS
 # warning do not set the following property to true
 # its intended for debugging and testing only 
 SSL.disableAllChecks=false
+#SSL.disableHostnameVerification=true
 
 # ------------ END SSL Config  --------------------
 
+#UserAgent=citizen-card-environment/1.2 MOCCA/1.0
+
 ValidateHashDataInputs=true
 AppletTimeout=300000
 
diff --git a/BKUOnline/src/main/resources/log4j.properties b/BKUOnline/src/main/resources/log4j.properties
index f608c83d..25ea9faa 100644
--- a/BKUOnline/src/main/resources/log4j.properties
+++ b/BKUOnline/src/main/resources/log4j.properties
@@ -30,7 +30,7 @@ log4j.appender.STDOUT.layout.ConversionPattern=%-5p | %t | %c %x - %m%n
 log4j.appender.file=org.apache.log4j.RollingFileAppender
 log4j.appender.file.maxFileSize=500KB
 log4j.appender.file.maxBackupIndex=9
-log4j.appender.file.File=${catalina.home}/logs/bkuonline.log
+log4j.appender.file.File=${catalina.base}/logs/bkuonline.log
 log4j.appender.file.threshold=trace
 log4j.appender.file.layout=org.apache.log4j.PatternLayout
 log4j.appender.file.layout.ConversionPattern=%d{ABSOLUTE} %5p | %t | %c{1}:%L - %m%n
\ No newline at end of file
diff --git a/BKUOnline/src/main/webapp/SLRequestForm.html b/BKUOnline/src/main/webapp/SLRequestForm.html
index 9ff7b68a..4714e82f 100644
--- a/BKUOnline/src/main/webapp/SLRequestForm.html
+++ b/BKUOnline/src/main/webapp/SLRequestForm.html
@@ -103,6 +103,33 @@
 </sl:InfoboxReadRequest>
 -->
 <!--
+<?xml version="1.0" encoding="UTF-8"?>
+<sl:CreateXMLSignatureRequest
+   xmlns:sl="http://www.buergerkarte.at/namespaces/securitylayer/1.2#">
+  <sl:KeyboxIdentifier>SecureSignatureKeypair</sl:KeyboxIdentifier>
+   <sl:DataObjectInfo Structure="enveloping">
+     <sl:DataObject>
+       <sl:XMLContent>Ich bin ein einfacher Text.</sl:XMLContent>
+     </sl:DataObject>
+    <sl:TransformsInfo>
+      <sl:FinalDataMetaInfo>
+       <sl:MimeType>text/plain</sl:MimeType>
+       </sl:FinalDataMetaInfo>
+    </sl:TransformsInfo>
+  </sl:DataObjectInfo>
+  <sl:DataObjectInfo Structure="enveloping">
+     <sl:DataObject>
+       <sl:XMLContent><html xmlns="http://www.w3.org/1999/xhtml"><head><title>TestXHTML</title><style/></head><body><p>Ich bin ein einfacher Text.</p></body></html></sl:XMLContent>
+     </sl:DataObject>
+    <sl:TransformsInfo>
+      <sl:FinalDataMetaInfo>
+       <sl:MimeType>application/xhtml+xml</sl:MimeType>
+       </sl:FinalDataMetaInfo>
+    </sl:TransformsInfo>
+  </sl:DataObjectInfo>
+</sl:CreateXMLSignatureRequest>
+-->
+<!--
 <?xml version='1.0' encoding='UTF-8'?>
 <sl10:InfoboxUpdateRequest xmlns:sl10='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'>
     <sl10:InfoboxIdentifier>CardChannel</sl10:InfoboxIdentifier>
diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/binding/ExpiryRemoverTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/binding/ExpiryRemoverTest.java
index 61729567..0e64e7a2 100644
--- a/bkucommon/src/test/java/at/gv/egiz/bku/binding/ExpiryRemoverTest.java
+++ b/bkucommon/src/test/java/at/gv/egiz/bku/binding/ExpiryRemoverTest.java
@@ -14,54 +14,57 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-package at.gv.egiz.bku.binding;
-
+package at.gv.egiz.bku.binding;
+
 import java.net.MalformedURLException;
 
-import org.junit.Test;
-import static org.junit.Assert.*;
-
-public class ExpiryRemoverTest {
-  
-  @Test
-  public void testMe() throws InterruptedException, MalformedURLException {
-    BindingProcessorManager manager = new BindingProcessorManagerImpl(new DummyStalFactory(),
-        new SLCommandInvokerImpl());
-    BindingProcessor bp = manager.createBindingProcessor("http://www.at", null);
-    ExpiryRemover remover = new ExpiryRemover();
-    remover.setBindingProcessorManager(manager);
-    remover.execute();
-    manager.process(bp);
-    remover.execute();
-    assertTrue(manager.getManagedIds().size() == 1);
-    remover.setMaxAcceptedAge(1000);
-    Thread.sleep(500);
-    remover.execute();
-    assertTrue(manager.getManagedIds().size() == 1);
-    Thread.sleep(510);
-    remover.execute();
-    assertTrue(manager.getManagedIds().size() == 0);
-  }
-  
-  @Test
-  public void testMe2() throws InterruptedException, MalformedURLException {
-    BindingProcessorManager manager = new BindingProcessorManagerImpl(new DummyStalFactory(),
-        new SLCommandInvokerImpl());
-    BindingProcessor bp = manager.createBindingProcessor("http://www.iaik.at", null);
-    ExpiryRemover remover = new ExpiryRemover();
-    remover.setBindingProcessorManager(manager);
-    remover.execute();
-    manager.process(bp);
-    remover.execute();
-    assertTrue(manager.getManagedIds().size() == 1);
-    remover.setMaxAcceptedAge(1000);
-    Thread.sleep(500);
-    remover.execute();
-    assertTrue(manager.getManagedIds().size() == 1);
-    bp.updateLastAccessTime();
-    Thread.sleep(510);
-    remover.execute();
-    assertTrue(manager.getManagedIds().size() == 1);
-  }
-
-}
+import org.junit.Ignore;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+public class ExpiryRemoverTest {
+  
+  @Test
+  @Ignore
+  public void testMe() throws InterruptedException, MalformedURLException {
+    BindingProcessorManager manager = new BindingProcessorManagerImpl(new DummyStalFactory(),
+        new SLCommandInvokerImpl());
+    BindingProcessor bp = manager.createBindingProcessor("http://www.at", null);
+    ExpiryRemover remover = new ExpiryRemover();
+    remover.setBindingProcessorManager(manager);
+    remover.execute();
+    manager.process(bp);
+    remover.execute();
+    assertTrue(manager.getManagedIds().size() == 1);
+    remover.setMaxAcceptedAge(1000);
+    Thread.sleep(500);
+    remover.execute();
+    assertTrue(manager.getManagedIds().size() == 1);
+    Thread.sleep(510);
+    remover.execute();
+    assertTrue(manager.getManagedIds().size() == 0);
+  }
+  
+  @Test
+  @Ignore
+  public void testMe2() throws InterruptedException, MalformedURLException {
+    BindingProcessorManager manager = new BindingProcessorManagerImpl(new DummyStalFactory(),
+        new SLCommandInvokerImpl());
+    BindingProcessor bp = manager.createBindingProcessor("http://www.iaik.at", null);
+    ExpiryRemover remover = new ExpiryRemover();
+    remover.setBindingProcessorManager(manager);
+    remover.execute();
+    manager.process(bp);
+    remover.execute();
+    assertTrue(manager.getManagedIds().size() == 1);
+    remover.setMaxAcceptedAge(1000);
+    Thread.sleep(500);
+    remover.execute();
+    assertTrue(manager.getManagedIds().size() == 1);
+    bp.updateLastAccessTime();
+    Thread.sleep(510);
+    remover.execute();
+    assertTrue(manager.getManagedIds().size() == 1);
+  }
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
index 01b9155b..06e4a018 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
@@ -28,6 +28,7 @@
 //
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.ccid.CCID;
 import at.gv.egiz.smcc.util.SMCCHelper;
 import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
@@ -41,7 +42,7 @@ import javax.smartcardio.ResponseAPDU;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
+public class ACOSCard extends AbstractSignatureCard {
 
   private static Log log = LogFactory.getLog(ACOSCard.class);
 
@@ -180,22 +181,23 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
         //new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("inf.pin.name"));
         
         int retries = -1;
-        char[] pin = null;
-        boolean pinRequiered = false;
+        boolean pinRequired = false;
 
         do {
-          if (pinRequiered) {
-            pin = provider.providePIN(spec, retries);
-          }
           try {
             getCard().beginExclusive();
-            return readTLVFile(AID_DEC, EF_INFOBOX, pin, KID_PIN_INF, EF_INFOBOX_MAX_SIZE);
+            if (pinRequired) {
+              char[] pin = provider.providePIN(spec, retries);
+              return readTLVFile(AID_DEC, EF_INFOBOX, pin, spec.getKID(), EF_INFOBOX_MAX_SIZE);
+            } else {
+              return readTLVFile(AID_DEC, EF_INFOBOX, EF_INFOBOX_MAX_SIZE);
+            }
           } catch (FileNotFoundException e) {
             throw new NotActivatedException();
           } catch (SecurityStatusNotSatisfiedException e) {
-            pinRequiered = true;
+            pinRequired = true;
           } catch (VerificationFailedException e) {
-            pinRequiered = true;
+            pinRequired = true;
             retries = e.getRetries();
           } finally {
             getCard().endExclusive();
@@ -402,10 +404,10 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
           throws LockedException, NotActivatedException, CancelledException, TimeoutException, SignatureCardException {
     try {
       byte[] sw;
-      if (ifdSupportsFeature(FEATURE_VERIFY_PIN_DIRECT)) {
+      if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
         log.debug("verify PIN on IFD");
-        sw = transmitControlCommand(
-                ifdCtrlCmds.get(FEATURE_VERIFY_PIN_DIRECT),
+        sw = reader.transmitControlCommand(
+                CCID.FEATURE_VERIFY_PIN_DIRECT,
                 getPINVerifyStructure(kid));
 //        int sw = (resp[resp.length-2] & 0xff) << 8 | resp[resp.length-1] & 0xff;
       } else {
@@ -466,10 +468,10 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
           throws LockedException, NotActivatedException, CancelledException, TimeoutException, SignatureCardException {
     try {
        byte[] sw;
-      if (ifdSupportsFeature(FEATURE_MODIFY_PIN_DIRECT)) {
+      if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_DIRECT)) {
         log.debug("modify PIN on IFD");
-        sw = transmitControlCommand(
-                ifdCtrlCmds.get(FEATURE_MODIFY_PIN_DIRECT),
+        sw = reader.transmitControlCommand(
+                CCID.FEATURE_MODIFY_PIN_DIRECT,
                 getPINModifyStructure(kid));
 //        int sw = (resp[resp.length-2] & 0xff) << 8 | resp[resp.length-1] & 0xff;
       } else {
@@ -543,34 +545,37 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
   }
   
   private byte[] getPINVerifyStructure(byte kid) {
-
-      byte bTimeOut = (byte) 00;            // Default time out
-      byte bTimeOut2 = (byte) 00;           // Default time out
-      byte bmFormatString = (byte) 0x82;      // 1 0001 0 01
+      
+      byte bTimeOut = reader.getbTimeOut();   
+      byte bTimeOut2 = reader.getbTimeOut2(); 
+      byte bmFormatString = (byte) 0x82;      // 1 0000 0 10
                                               // ^------------ System unit = byte
                                               //   ^^^^------- PIN position in the frame = 1 byte
                                               //        ^----- PIN justification left
-                                              //          ^^-- BCD format
-                                              // 1 0000 0 10
                                               //          ^^-- ASCII format
-      byte bmPINBlockString = (byte) 0x08;    // 0100 0111
-                                              // ^^^^--------- PIN length size: 4 bits
-                                              //      ^^^^---- Length PIN = 7 bytes
-      byte bmPINLengthFormat = (byte) 0x04;   // 000 0 0100
+      byte bmPINBlockString = (byte) 0x08;    // 0000 1000
+                                              // ^^^^--------- PIN length size: 0 bits
+                                              //      ^^^^---- Length PIN = 8 bytes
+      byte bmPINLengthFormat = (byte) 0x00;   // 000 0 0000
                                               //     ^-------- System bit units is bit
-                                              //       ^^^^--- PIN length is at the 4th position bit
-      byte wPINMaxExtraDigitL = (byte) 0x04;  // Max=4 digits
-      byte wPINMaxExtraDigitH = (byte) 0x04;  // Min=4 digits
-      byte bEntryValidationCondition = 0x02;  // Max size reach or Validation key pressed
+                                              //       ^^^^--- no PIN length
+      byte wPINMaxExtraDigitL =
+              (reader.getwPINMaxExtraDigitL() < (byte) 0x08) ?
+                reader.getwPINMaxExtraDigitL() : (byte) 0x08;
+      byte wPINMaxExtraDigitH =               
+              (reader.getwPINMaxExtraDigitH() > (byte) 0x00) ?
+                reader.getwPINMaxExtraDigitH() : (byte) 0x00;
+      byte bEntryValidationCondition = 
+              reader.getbEntryValidationCondition();
       byte bNumberMessage = (byte) 0x00;      // No message
-      byte wLangIdL = (byte) 0x0C;            // - English?
-      byte wLangIdH = (byte) 0x04;            // \
-      byte bMsgIndex = (byte) 0x00;           // Default Msg
+      byte wLangIdL = (byte) 0x0C;            
+      byte wLangIdH = (byte) 0x04;            
+      byte bMsgIndex = (byte) 0x00;           
 
       byte[] apdu = new byte[] {
-        (byte) 0x00, (byte) 0x20, (byte) 0x00, kid, (byte) 0x08,  // CLA INS P1 P2 LC
-        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,               // Data
-        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00                // Data
+        (byte) 0x00, (byte) 0x20, (byte) 0x00, kid, (byte) 0x08, 
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,      
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00       
       };
 
       int offset = 0;
@@ -603,40 +608,43 @@ public class ACOSCard extends AbstractSignatureCard implements SignatureCard {
   
   public byte[] getPINModifyStructure(byte kid) {
 
-      byte bTimeOut = (byte) 00;            // Default time out
-      byte bTimeOut2 = (byte) 00;           // Default time out
-      byte bmFormatString = (byte) 0x82;      // 1 0001 0 01
+      byte bTimeOut = reader.getbTimeOut();
+      byte bTimeOut2 = reader.getbTimeOut2();
+      byte bmFormatString = (byte) 0x82;      // 1 0000 0 10
                                               // ^------------ System unit = byte
                                               //   ^^^^------- PIN position in the frame = 1 byte
                                               //        ^----- PIN justification left
-                                              //          ^^-- BCD format
-                                              // 1 0000 0 10
                                               //          ^^-- ASCII format
-      byte bmPINBlockString = (byte) 0x08;    // 0100 0111
-                                              // ^^^^--------- PIN length size: 4 bits
-                                              //      ^^^^---- Length PIN = 7 bytes
-      byte bmPINLengthFormat = (byte) 0x00;   // 000 0 0100
+      byte bmPINBlockString = (byte) 0x08;    // 0000 1000
+                                              // ^^^^--------- PIN length size: 0 bits
+                                              //      ^^^^---- Length PIN = 8 bytes
+      byte bmPINLengthFormat = (byte) 0x00;   // 000 0 0000
                                               //     ^-------- System bit units is bit
-                                              //       ^^^^--- PIN length is at the 4th position bit
+                                              //       ^^^^--- no PIN length 
       byte bInsertionOffsetOld = (byte) 0x00; // insertion position offset in bytes
-      byte bInsertionOffsetNew = (byte) 0x00; // insertion position offset in bytes
-      byte wPINMaxExtraDigitL = (byte) 0x04;  // Min=4 digits
-      byte wPINMaxExtraDigitH = (byte) 0x04;  // Max=12 digits
-      byte bConfirmPIN = (byte) 0x00;         // ??? need for confirm pin
-      byte bEntryValidationCondition = 0x02;  // Max size reach or Validation key pressed
-      byte bNumberMessage = (byte) 0x00;      // No message
-      byte wLangIdL = (byte) 0x0C;            // - English?
-      byte wLangIdH = (byte) 0x04;            // \
-      byte bMsgIndex1 = (byte) 0x00;           // Default Msg
-      byte bMsgIndex2 = (byte) 0x00;           // Default Msg
-      byte bMsgIndex3 = (byte) 0x00;           // Default Msg
+      byte bInsertionOffsetNew = (byte) 0x08; 
+      byte wPINMaxExtraDigitL =
+              (reader.getwPINMaxExtraDigitL() < (byte) 0x08) ?
+                reader.getwPINMaxExtraDigitL() : (byte) 0x08;
+      byte wPINMaxExtraDigitH =
+              (reader.getwPINMaxExtraDigitH() > (byte) 0x00) ?
+                reader.getwPINMaxExtraDigitH() : (byte) 0x00;
+      byte bConfirmPIN = (byte) 0x03;
+      byte bEntryValidationCondition =
+              reader.getbEntryValidationCondition();
+      byte bNumberMessage = (byte) 0x03;      
+      byte wLangIdL = (byte) 0x0C;            
+      byte wLangIdH = (byte) 0x04;            
+      byte bMsgIndex1 = (byte) 0x00;           
+      byte bMsgIndex2 = (byte) 0x01;           
+      byte bMsgIndex3 = (byte) 0x02;           
 
       byte[] apdu = new byte[] {
-        (byte) 0x00, (byte) 0x24, (byte) 0x00, kid, (byte) 0x10,  // CLA INS P1 P2 LC
-        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,               // Data
-        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,                // ...
-        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,               // Data
-        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff                // ...
+        (byte) 0x00, (byte) 0x24, (byte) 0x00, kid, (byte) 0x10,  
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00        
       };
 
       int offset = 0;
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
index 6587aaf9..47c27369 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
@@ -28,6 +28,9 @@
 //
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.ccid.CCID;
+import at.gv.egiz.smcc.ccid.DefaultReader;
+import at.gv.egiz.smcc.ccid.ReaderFactory;
 import at.gv.egiz.smcc.util.SMCCHelper;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -39,6 +42,8 @@ import java.util.Locale;
 import java.util.Map;
 import java.util.ResourceBundle;
 
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import javax.smartcardio.ATR;
 import javax.smartcardio.Card;
 import javax.smartcardio.CardChannel;
@@ -54,14 +59,6 @@ public abstract class AbstractSignatureCard implements SignatureCard {
 
   private static Log log = LogFactory.getLog(AbstractSignatureCard.class);
 
-  static final short GET_FEATURE_REQUEST = 3400;
-  
-  private static int getCtrlCode(short function) {
-    return 0x310000 | ((0xFFFF & function) << 2);
-  }
-
-  protected Map<Byte, Long> ifdCtrlCmds;
-
   protected List<PINSpec> pinSpecs = new ArrayList<PINSpec>();
 
   private ResourceBundle i18n;
@@ -76,7 +73,8 @@ public abstract class AbstractSignatureCard implements SignatureCard {
   /**
    * The card terminal that connects the {@link #card_}.  
    */
-  private CardTerminal cardTerminal;
+//  private CardTerminal cardTerminal;
+  protected CCID reader;
 
   protected AbstractSignatureCard(String resourceBundleName) {
     this.resourceBundleName = resourceBundleName;
@@ -341,16 +339,34 @@ public abstract class AbstractSignatureCard implements SignatureCard {
    */
   protected byte[] readTLVFile(byte[] aid, byte[] ef, int maxLength)
       throws SignatureCardException, InterruptedException, CardException {
-    return readTLVFile(aid, ef, null, (byte) 0, maxLength);
+    // SELECT FILE (AID)
+    selectFileAID(aid);
+
+    // SELECT FILE (EF)
+    ResponseAPDU resp = selectFileFID(ef);
+    if (resp.getSW() == 0x6a82) {
+      // EF not found
+      throw new FileNotFoundException("EF " + toString(ef) + " not found.");
+    } else if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("SELECT FILE with "
+          + "FID="
+          + toString(ef)
+          + " failed ("
+          + "SW="
+          + Integer.toHexString(resp.getSW()) + ").");
+    }
+
+    return readBinaryTLV(maxLength, (byte) 0x30);
+//    return readTLVFile(aid, ef, null, (byte) 0, maxLength);
   }
 
   /**
-   * Read the content of a TLV file wich may require a PIN.
+   * Read the content of a TLV file wich requires a PIN.
    * 
    * @param aid the application ID (AID)
    * @param ef the elementary file (EF)
    * @param kid the key ID (KID) of the corresponding PIN
-   * @param provider the PINProvider
+   * @param pin the pin or null if VERIFY on pinpad
    * @param spec the PINSpec
    * @param maxLength the maximum length of the file
    * 
@@ -381,12 +397,10 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     }
 
     // VERIFY
-    if (pin != null) {
       int retries = verifyPIN(kid, pin);
       if (retries != -1) {
         throw new VerificationFailedException(retries);
       }
-    }
    
     return readBinaryTLV(maxLength, (byte) 0x30);
       
@@ -443,16 +457,16 @@ public abstract class AbstractSignatureCard implements SignatureCard {
   }
 
   
+  @Override
   public void init(Card card, CardTerminal cardTerminal) {
-    card_ = card;
-    this.cardTerminal = cardTerminal;
+    this.card_ = card;
+    this.reader = ReaderFactory.getReader(card, cardTerminal);
     ATR atr = card.getATR();
     byte[] atrBytes = atr.getBytes();
     if (atrBytes.length >= 6) {
       ifs_ = 0xFF & atr.getBytes()[6];
       log.trace("Setting IFS (information field size) to " + ifs_);
     }
-    ifdCtrlCmds = queryIFDFeatures();
   }
   
   @Override
@@ -464,6 +478,11 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     return card_.getBasicChannel();
   }
 
+  @Override
+  public CCID getReader() {
+    return reader;
+  }
+
   @Override
   public void setLocale(Locale locale) {
     if (locale == null) {
@@ -497,9 +516,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
       log.debug("Disconnect and reset smart card.");
       card_.disconnect(true);
       log.debug("Reconnect smart card.");
-      if (cardTerminal != null) {
-        card_ = cardTerminal.connect("*");
-      }
+      card_ = reader.connect();
     } catch (CardException e) {
       throw new SignatureCardException("Failed to reset card.", e);
     }
@@ -520,6 +537,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
         selectFileAID(pinSpec.getContextAID());
       }
 
+      // -1 if ok or unknown
       int retries = verifyPIN(pinSpec.getKID());
       do {
         char[] pin = pinProvider.providePIN(pinSpec, retries);
@@ -611,166 +629,4 @@ public abstract class AbstractSignatureCard implements SignatureCard {
           throws CancelledException, SignatureCardException, InterruptedException {
     throw new SignatureCardException("Unblock not supported yet");
   }
-
-  /////////////////////////////////////////////////////////////////////////////
-  // IFD related code
-  /////////////////////////////////////////////////////////////////////////////
-
-  /**
-   * TODO implement VERIFY_PIN_START/FINISH (feature 0x01/0x02)
-   * @return
-   */
-  @Override
-  public boolean ifdSupportsFeature(byte feature) {
-    if (ifdCtrlCmds != null) {
-      return ifdCtrlCmds.containsKey(feature);
-    }
-    return false;
-  }
-
-  protected Map<Byte, Long> queryIFDFeatures() {
-
-    if (card_ == null) {
-      throw new NullPointerException("Need connected smart card to query IFD features");
-    }
-
-    Map<Byte, Long> ifdFeatures = new HashMap<Byte, Long>();
-
-    try {
-      if (log.isTraceEnabled()) {
-        log.trace("GET_FEATURE_REQUEST CtrlCode " + Integer.toHexString(getCtrlCode(GET_FEATURE_REQUEST)));
-      }
-      byte[] resp = card_.transmitControlCommand(getCtrlCode(GET_FEATURE_REQUEST), new byte[]{});
-
-      if (log.isTraceEnabled()) {
-        log.trace("GET_FEATURE_REQUEST Response " + SMCCHelper.toString(resp));
-      }
-
-      for (int i = 0; i + 5 < resp.length; i += 6) {
-        Byte feature = new Byte(resp[i]);
-        Long ctrlCode = new Long(
-          ((0xFF & resp[i + 2]) << 24) |
-          ((0xFF & resp[i + 3]) << 16) |
-          ((0xFF & resp[i + 4]) << 8) |
-           (0xFF & resp[i + 5]));
-        if (log.isInfoEnabled()) {
-          log.info("IFD supports feature " + Integer.toHexString(feature.byteValue()) +
-                  ": " + Long.toHexString(ctrlCode.longValue()));
-        }
-        ifdFeatures.put(feature, ctrlCode);
-      }
-
-    } catch (CardException ex) {
-      log.debug("Failed to query IFD features: " + ex.getMessage());
-      log.trace(ex);
-      log.info("IFD does not support PINPad");
-      return null;
-    }
-    return ifdFeatures;
-  }
-
-
-  protected byte ifdGetKeyPressed() throws CardException {
-    if (ifdSupportsFeature(FEATURE_VERIFY_PIN_DIRECT)) {
-
-      Long controlCode = (Long) ifdCtrlCmds.get(new Byte((byte) 0x05));
-
-      byte key = 0x00;
-      while (key == 0x00) {
-
-        byte[] resp = card_.transmitControlCommand(controlCode.intValue(), new byte[] {});
-
-        if (resp != null && resp.length > 0) {
-          key = resp[0];
-        }
-      }
-
-      System.out.println("Key: " + key);
-
-    }
-
-    return 0x00;
-  }
-
-  protected byte[] ifdVerifyPINFinish() throws CardException {
-    if (ifdSupportsFeature(FEATURE_VERIFY_PIN_DIRECT)) {
-
-      Long controlCode = (Long) ifdCtrlCmds.get(new Byte((byte) 0x02));
-
-      byte[] resp = card_.transmitControlCommand(controlCode.intValue(), new byte[] {});
-
-      System.out.println("CommandResp: " + toString(resp));
-
-      return resp;
-
-    }
-
-    return null;
-  }
-
-
-  /**
-   * assumes ifdSupportsVerifyPIN() == true
-   * @param pinVerifyStructure
-   * @return
-   * @throws javax.smartcardio.CardException
-   */
-//  protected byte[] ifdVerifyPIN(byte[] pinVerifyStructure) throws CardException {
-//
-////      Long ctrlCode = (Long) ifdFeatures.get(FEATURE_IFD_PIN_PROPERTIES);
-////      if (ctrlCode != null) {
-////        if (log.isTraceEnabled()) {
-////          log.trace("PIN_PROPERTIES CtrlCode " + Integer.toHexString(ctrlCode.intValue()));
-////        }
-////        byte[] resp = card_.transmitControlCommand(ctrlCode.intValue(), new byte[] {});
-////
-////        if (log.isTraceEnabled()) {
-////          log.trace("PIN_PROPERTIES Response " + SMCCHelper.toString(resp));
-////        }
-////      }
-//
-//
-//      Long ctrlCode = (Long) ifdFeatures.get(FEATURE_VERIFY_PIN_DIRECT);
-//      if (ctrlCode == null) {
-//        throw new NullPointerException("no CtrlCode for FEATURE_VERIFY_PIN_DIRECT");
-//      }
-//
-//      if (log.isTraceEnabled()) {
-//        log.trace("VERIFY_PIN_DIRECT CtrlCode " + Integer.toHexString(ctrlCode.intValue()) +
-//                ", PIN_VERIFY_STRUCTURE " + SMCCHelper.toString(pinVerifyStructure));
-//      }
-//      byte[] resp = card_.transmitControlCommand(ctrlCode.intValue(), pinVerifyStructure);
-//
-//      if (log.isTraceEnabled()) {
-//        log.trace("VERIFY_PIN_DIRECT Response " + SMCCHelper.toString(resp));
-//      }
-//      return resp;
-//  }
-
-//  protected Long getControlCode(Byte feature) {
-//    if (ifdFeatures != null) {
-//      return ifdFeatures.get(feature);
-//    }
-//    return null;
-//  }
-
-  protected byte[] transmitControlCommand(Long ctrlCode, byte[] ctrlCommand)
-          throws CardException {
-//    Long ctrlCode = (Long) ifdFeatures.get(feature);
-    if (ctrlCode == null) {
-      throw new NullPointerException("ControlCode " +
-              Integer.toHexString(ctrlCode.intValue()) + " not supported");
-    }
-    if (log.isTraceEnabled()) {
-      log.trace("CtrlCommand (" + Integer.toHexString(ctrlCode.intValue()) +
-              ")  " + SMCCHelper.toString(ctrlCommand));
-    }
-    byte[] resp = card_.transmitControlCommand(ctrlCode.intValue(), ctrlCommand);
-
-    if (log.isTraceEnabled()) {
-      log.trace("CtrlCommand Response " + SMCCHelper.toString(resp));
-    }
-    return resp;
-  }
-
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index 91245c50..bc6a2316 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -28,6 +28,7 @@
 //
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.ccid.DefaultReader;
 import at.gv.egiz.smcc.util.SMCCHelper;
 import java.util.Arrays;
 import javax.smartcardio.CardChannel;
@@ -38,7 +39,7 @@ import javax.smartcardio.ResponseAPDU;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-public class STARCOSCard extends AbstractSignatureCard implements SignatureCard {
+public class STARCOSCard extends AbstractSignatureCard {
 
   /**
    * Logging facility.
@@ -153,8 +154,8 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
 
   public static final byte KID_PIN_CARD = (byte) 0x01;
 
-  private static final int PINSPEC_CARD = 0;
-  private static final int PINSPEC_SS = 1;
+  public static final int PINSPEC_CARD = 0;
+  public static final int PINSPEC_SS = 1;
 
   /**
    * Creates an new instance.
@@ -217,28 +218,29 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
   
     try {
       if ("IdentityLink".equals(infobox)) {
- 
+
         PINSpec spec = pinSpecs.get(PINSPEC_CARD);
         //new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
-        
+
         int retries = -1;
-        char[] pin = null;
-        boolean pinRequiered = false;
+        boolean pinRequired = false;
 
         do {
-          if (pinRequiered) {
-            pin = provider.providePIN(spec, retries);
-          }
           try {
             getCard().beginExclusive();
-            return readTLVFile(AID_INFOBOX, EF_INFOBOX, pin, KID_PIN_CARD, 2000);
+            if (pinRequired) {
+              char[] pin = provider.providePIN(spec, retries);
+              return readTLVFile(AID_INFOBOX, EF_INFOBOX, pin, spec.getKID(), 2000);
+            } else {
+              return readTLVFile(AID_INFOBOX, EF_INFOBOX, 2000);
+            }
           } catch (FileNotFoundException e) {
             throw new NotActivatedException();
           } catch (SecurityStatusNotSatisfiedException e) {
-            pinRequiered = true;
+            pinRequired = true;
             retries = verifyPIN(KID_PIN_CARD);
           } catch (VerificationFailedException e) {
-            pinRequiered = true;
+            pinRequired = true;
             retries = e.getRetries();
           } finally {
             getCard().endExclusive();
@@ -246,54 +248,43 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
         } while (retries != 0);
 
         throw new LockedException();
-
         
       } else if ("EHIC".equals(infobox)) {
-        
         try {
           getCard().beginExclusive();
           return readTLVFile(AID_SV_PERSONENDATEN, FID_EHIC, 126);
         } finally {
           getCard().endExclusive();
         }
-        
       } else if ("Grunddaten".equals(infobox)) {
-        
         try {
           getCard().beginExclusive();
           return readTLVFile(AID_SV_PERSONENDATEN, FID_GRUNDDATEN, 550);
         } finally {
           getCard().endExclusive();
         }
-        
       } else if ("SV-Personenbindung".equals(infobox)) {
-        
         try {
           getCard().beginExclusive();
           return readTLVFile(AID_SV_PERSONENDATEN, FID_SV_PERSONENBINDUNG, 500);
         } finally {
           getCard().endExclusive();
         }
-        
       } else if ("Status".equals(infobox)) {
-        
         try {
           getCard().beginExclusive();
           return readRecords(AID_SV_PERSONENDATEN, FID_STATUS, 1, 5);
         } finally {
           getCard().endExclusive();
         }
-        
       } else {
         throw new IllegalArgumentException("Infobox '" + infobox
             + "' not supported.");
       }
-      
     } catch (CardException e) {
       log.warn(e);
       throw new SignatureCardException("Failed to access card.", e);
     }
-  
   }
 
   @Override
@@ -466,10 +457,10 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
           throws LockedException, NotActivatedException, SignatureCardException {
     try {
       byte[] sw;
-      if (ifdSupportsFeature(FEATURE_VERIFY_PIN_DIRECT)) {
+      if (reader.hasFeature(DefaultReader.FEATURE_VERIFY_PIN_DIRECT)) {
         log.debug("verify PIN on IFD");
-        sw = transmitControlCommand(
-                ifdCtrlCmds.get(FEATURE_VERIFY_PIN_DIRECT),
+        sw = reader.transmitControlCommand(
+                DefaultReader.FEATURE_VERIFY_PIN_DIRECT,
                 getPINVerifyStructure(kid));
 //        int sw = (resp[resp.length-2] & 0xff) << 8 | resp[resp.length-1] & 0xff;
       } else {
@@ -551,10 +542,10 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
           throws LockedException, NotActivatedException, CancelledException, TimeoutException, SignatureCardException {
     try {
       byte[] sw;
-      if (ifdSupportsFeature(FEATURE_MODIFY_PIN_DIRECT)) {
+      if (reader.hasFeature(DefaultReader.FEATURE_MODIFY_PIN_DIRECT)) {
         log.debug("modify PIN on IFD");
-        sw = transmitControlCommand(
-                ifdCtrlCmds.get(FEATURE_MODIFY_PIN_DIRECT),
+        sw = reader.transmitControlCommand(
+                DefaultReader.FEATURE_MODIFY_PIN_DIRECT,
                 getPINModifyStructure(kid));
 //        int sw = (resp[resp.length-2] & 0xff) << 8 | resp[resp.length-1] & 0xff;
       } else {
@@ -606,31 +597,43 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
   protected void activatePIN(byte kid, char[] pin)
           throws CancelledException, TimeoutException, SignatureCardException {
     try {
-      CardChannel channel = getCardChannel();
-      ResponseAPDU resp = transmit(channel,
-              new CommandAPDU(0x00, 0x24, 0x01, kid, encodePINBlock(pin)), false);
+      byte[] sw;
+      if (reader.hasFeature(DefaultReader.FEATURE_MODIFY_PIN_DIRECT)) {
+        log.debug("activate PIN on IFD");
+        sw = reader.transmitControlCommand(
+                DefaultReader.FEATURE_MODIFY_PIN_DIRECT,
+                getActivatePINModifyStructure(kid));
+//        int sw = (resp[resp.length-2] & 0xff) << 8 | resp[resp.length-1] & 0xff;
+      } else {
+        CardChannel channel = getCardChannel();
+        ResponseAPDU resp = transmit(channel,
+                new CommandAPDU(0x00, 0x24, 0x01, kid, encodePINBlock(pin)), false);
 
-      log.trace("activate pin returned SW=" + Integer.toHexString(resp.getSW()));
+        sw = new byte[2];
+        sw[0] = (byte) resp.getSW1();
+        sw[1] = (byte) resp.getSW2();
+        log.trace("activate pin returned SW=" + Integer.toHexString(resp.getSW()));
+      }
 
-      if (resp.getSW1() == 0x9000) {
+      if (sw[0] == (byte) 0x90 && sw[1] == (byte) 0x00) {
         return;
-      } else if (resp.getSW() == 0x6983) {
+      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x83) {
         //Authentisierungsmethode gesperrt
         throw new LockedException("[69:83]");
-      } else if (resp.getSW() == 0x6984) {
-        //referenzierte Daten sind reversibel gesperrt (invalidated)
-        throw new NotActivatedException("[69:84]");
-      } else if (resp.getSW() == 0x6985) {
-        //Benutzungsbedingungen nicht erfüllt
-        throw new NotActivatedException("[69:85]");
-      } else if (resp.getSW() == 0x6400) {
+//      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x84) {
+//        //referenzierte Daten sind reversibel gesperrt (invalidated)
+//        throw new NotActivatedException("[69:84]");
+//      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x85) {
+//        //Benutzungsbedingungen nicht erfüllt
+//        throw new NotActivatedException("[69:85]");
+      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x00) {
         throw new TimeoutException("[64:00]");
-      } else if (resp.getSW() == 0x6401) {
+      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x01) {
         throw new CancelledException("[64:01]");
       }
-      log.error("Failed to activate pin: SW=" +
-              Integer.toHexString(resp.getSW()));
-      throw new SignatureCardException("[" + Integer.toHexString(resp.getSW()) + "]");
+      log.error("Failed to activate pin: SW="
+              + SMCCHelper.toString(sw));
+      throw new SignatureCardException(SMCCHelper.toString(sw));
 
     } catch (CardException ex) {
       log.error("smart card communication failed: " + ex.getMessage());
@@ -667,9 +670,8 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
   }
   
   private byte[] getPINVerifyStructure(byte kid) {
-      
-      byte bTimeOut = (byte) 00;            // Default time out
-      byte bTimeOut2 = (byte) 00;           // Default time out
+      byte bTimeOut = reader.getbTimeOut(); 
+      byte bTimeOut2 = reader.getbTimeOut2(); // time out after first entry
       byte bmFormatString = (byte) 0x89;      // 1 0001 0 01 
                                               // ^------------ System unit = byte
                                               //   ^^^^------- PIN position in the frame = 1 byte
@@ -681,9 +683,14 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
       byte bmPINLengthFormat = (byte) 0x04;   // 000 0 0100
                                               //     ^-------- System bit units is bit
                                               //       ^^^^--- PIN length is at the 4th position bit
-      byte wPINMaxExtraDigitL = (byte) 0x04;  // Max=4 digits
-      byte wPINMaxExtraDigitH = (byte) 0x04;  // Min=4 digits
-      byte bEntryValidationCondition = 0x02;  // Max size reach or Validation key pressed
+      byte wPINMaxExtraDigitL =               // Max=12 digits (Gemplus support max 8)
+              (reader.getwPINMaxExtraDigitL() < (byte) 0x12) ?
+                reader.getwPINMaxExtraDigitL() : (byte) 0x12;
+      byte wPINMaxExtraDigitH =               // Min=4/6 digits TODO card/ss pin (min: 4/6)
+              (reader.getwPINMaxExtraDigitH() > (byte) 0x04) ?
+                reader.getwPINMaxExtraDigitH() : (byte) 0x04;
+      byte bEntryValidationCondition = 
+              reader.getbEntryValidationCondition();  
       byte bNumberMessage = (byte) 0x00;      // No message
       byte wLangIdL = (byte) 0x0C;            // - English?
       byte wLangIdH = (byte) 0x04;            // \
@@ -725,38 +732,99 @@ public class STARCOSCard extends AbstractSignatureCard implements SignatureCard
 
   private byte[] getPINModifyStructure(byte kid) {
 
-      byte bTimeOut = (byte) 00;            // Default time out
-      byte bTimeOut2 = (byte) 00;           // Default time out
-      byte bmFormatString = (byte) 0x89;      // 1 0001 0 01
-                                              // ^------------ System unit = byte
-                                              //   ^^^^------- PIN position in the frame = 1 byte
-                                              //        ^----- PIN justification left
-                                              //          ^^-- BCD format
-      byte bmPINBlockString = (byte) 0x47;    // 0100 0111
-                                              // ^^^^--------- PIN length size: 4 bits
-                                              //      ^^^^---- Length PIN = 7 bytes
-      byte bmPINLengthFormat = (byte) 0x04;   // 000 0 0100
-                                              //     ^-------- System bit units is bit
-                                              //       ^^^^--- PIN length is at the 4th position bit
-      byte bInsertionOffsetOld = (byte) 0x01; // insertion position offset in bytes
-      byte bInsertionOffsetNew = (byte) 0x08; // insertion position offset in bytes
-      byte wPINMaxExtraDigitL = (byte) 0x04;  // Min=4 digits
-      byte wPINMaxExtraDigitH = (byte) 0x04;  // Max=12 digits
-      byte bConfirmPIN = (byte) 0x00;         // ??? need for confirm pin
-      byte bEntryValidationCondition = 0x02;  // Max size reach or Validation key pressed
-      byte bNumberMessage = (byte) 0x00;      // No message
-      byte wLangIdL = (byte) 0x0C;            // - English?
-      byte wLangIdH = (byte) 0x04;            // \
-      byte bMsgIndex1 = (byte) 0x00;           // Default Msg
-      byte bMsgIndex2 = (byte) 0x00;           // Default Msg
-      byte bMsgIndex3 = (byte) 0x00;           // Default Msg
+      byte bTimeOut = reader.getbTimeOut();   // s.o.
+      byte bTimeOut2 = reader.getbTimeOut2(); // s.o.
+      byte bmFormatString = (byte) 0x89;      // s.o.
+      byte bmPINBlockString = (byte) 0x47;    // s.o.
+      byte bmPINLengthFormat = (byte) 0x04;   // s.o.
+      byte bInsertionOffsetOld = (byte) 0x00; // insertion position offset in bytes
+      byte bInsertionOffsetNew = (byte) 0x08; // (add 1 from bmFormatString b3)
+      byte wPINMaxExtraDigitL = 
+              (reader.getwPINMaxExtraDigitL() < (byte) 0x12) ?
+                reader.getwPINMaxExtraDigitL() : (byte) 0x12;
+      byte wPINMaxExtraDigitH =               // Min=4/6 digits TODO card/ss pin (min: 4/6)
+              (reader.getwPINMaxExtraDigitH() > (byte) 0x04) ?
+                reader.getwPINMaxExtraDigitH() : (byte) 0x04;
+      byte bConfirmPIN = (byte) 0x03;         // current pin entry + confirmation
+      byte bEntryValidationCondition =
+              reader.getbEntryValidationCondition();
+      byte bNumberMessage = (byte) 0x03;      // 3 messages
+      byte wLangIdL = (byte) 0x0C;            
+      byte wLangIdH = (byte) 0x04;            
+      byte bMsgIndex1 = (byte) 0x00;          // insertion
+      byte bMsgIndex2 = (byte) 0x01;          // modification
+      byte bMsgIndex3 = (byte) 0x02;          // confirmation
 
       byte[] apdu = new byte[] {
-        (byte) 0x00, (byte) 0x24, (byte) 0x00, kid, (byte) 0x10,  // CLA INS P1 P2 LC
-        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,               // Data
-        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,                // ...
-        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,               // Data
-        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff                // ...
+        (byte) 0x00, (byte) 0x24, (byte) 0x00, kid, (byte) 0x10, 
+        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,      
+        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,      
+        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,      
+        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff       
+      };
+
+      int offset = 0;
+      byte[] pinModifyStructure = new byte[offset + 24 + apdu.length];
+      pinModifyStructure[offset++] = bTimeOut;
+      pinModifyStructure[offset++] = bTimeOut2;
+      pinModifyStructure[offset++] = bmFormatString;
+      pinModifyStructure[offset++] = bmPINBlockString;
+      pinModifyStructure[offset++] = bmPINLengthFormat;
+      pinModifyStructure[offset++] = bInsertionOffsetOld;
+      pinModifyStructure[offset++] = bInsertionOffsetNew;
+      pinModifyStructure[offset++] = wPINMaxExtraDigitL;
+      pinModifyStructure[offset++] = wPINMaxExtraDigitH;
+      pinModifyStructure[offset++] = bConfirmPIN;
+      pinModifyStructure[offset++] = bEntryValidationCondition;
+      pinModifyStructure[offset++] = bNumberMessage;
+      pinModifyStructure[offset++] = wLangIdL;
+      pinModifyStructure[offset++] = wLangIdH;
+      pinModifyStructure[offset++] = bMsgIndex1;
+      pinModifyStructure[offset++] = bMsgIndex2;
+      pinModifyStructure[offset++] = bMsgIndex3;
+
+      pinModifyStructure[offset++] = 0x00;
+      pinModifyStructure[offset++] = 0x00;
+      pinModifyStructure[offset++] = 0x00;
+
+      pinModifyStructure[offset++] = (byte) apdu.length;
+      pinModifyStructure[offset++] = 0x00;
+      pinModifyStructure[offset++] = 0x00;
+      pinModifyStructure[offset++] = 0x00;
+      System.arraycopy(apdu, 0, pinModifyStructure, offset, apdu.length);
+
+//      log.debug("PIN MODIFY " + SMCCHelper.toString(pinModifyStructure));
+      return pinModifyStructure;
+  }
+  private byte[] getActivatePINModifyStructure(byte kid) {
+
+      byte bTimeOut = reader.getbTimeOut();   
+      byte bTimeOut2 = reader.getbTimeOut2(); 
+      byte bmFormatString = (byte) 0x89;      
+      byte bmPINBlockString = (byte) 0x47;    
+      byte bmPINLengthFormat = (byte) 0x04;   
+      byte bInsertionOffsetOld = (byte) 0x00; // ignored
+      byte bInsertionOffsetNew = (byte) 0x00; 
+      byte wPINMaxExtraDigitL =
+              (reader.getwPINMaxExtraDigitL() < (byte) 0x12) ?
+                reader.getwPINMaxExtraDigitL() : (byte) 0x12;
+      byte wPINMaxExtraDigitH =               // Min=4/6 digits TODO card/ss pin (min: 4/6)
+              (reader.getwPINMaxExtraDigitH() > (byte) 0x04) ?
+                reader.getwPINMaxExtraDigitH() : (byte) 0x04;
+      byte bConfirmPIN = (byte) 0x01;         // confirm, no current pin entry
+      byte bEntryValidationCondition =
+              reader.getbEntryValidationCondition();
+      byte bNumberMessage = (byte) 0x02;      // 2 messages
+      byte wLangIdL = (byte) 0x0c;
+      byte wLangIdH = (byte) 0x04;
+      byte bMsgIndex1 = (byte) 0x01;          // modification prompt
+      byte bMsgIndex2 = (byte) 0x02;          // confirmation prompt
+      byte bMsgIndex3 = (byte) 0x00;           
+
+      byte[] apdu = new byte[] {
+        (byte) 0x00, (byte) 0x24, (byte) 0x01, kid, (byte) 0x08,
+        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff
       };
 
       int offset = 0;
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
index 293b9c71..253ac7a0 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
@@ -17,6 +17,7 @@
 
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.ccid.CCID;
 import java.io.ByteArrayOutputStream;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
@@ -44,6 +45,7 @@ import java.util.Locale;
 
 import java.util.Map;
 import javax.smartcardio.Card;
+import javax.smartcardio.CardException;
 import javax.smartcardio.CardTerminal;
 
 import org.apache.commons.logging.Log;
@@ -419,7 +421,50 @@ public class SWCard implements SignatureCard {
   }
 
   @Override
-  public boolean ifdSupportsFeature(byte feature) {
-    return false;
+  public CCID getReader() {
+    return new CCID() {
+
+      @Override
+      public boolean hasFeature(Byte feature) {
+        return false;
+      }
+
+      @Override
+      public byte[] transmitControlCommand(Byte feature, byte[] ctrlCommand)
+              throws SignatureCardException {
+        throw new SignatureCardException(CCID.FEATURES[feature.intValue()] +
+                " not supported");
+      }
+
+      @Override
+      public byte getbTimeOut() {
+        return 0;
+      }
+
+      @Override
+      public byte getbTimeOut2() {
+        return 0;
+      }
+
+      @Override
+      public byte getwPINMaxExtraDigitL() {
+        return 0x12;
+      }
+
+      @Override
+      public byte getwPINMaxExtraDigitH() {
+        return 0x00;
+      }
+
+      @Override
+      public byte getbEntryValidationCondition() {
+        return 0x02;
+      }
+
+      @Override
+      public Card connect() {
+        return null;
+      }
+    };
   }
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
index 2097e6d3..ad530ad5 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
@@ -28,6 +28,7 @@
 //
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.ccid.CCID;
 import java.util.List;
 import java.util.Locale;
 
@@ -36,14 +37,6 @@ import javax.smartcardio.CardTerminal;
 
 public interface SignatureCard {
 
-  /**
-   * IFD FEATURES
-   */
-  static final Byte FEATURE_VERIFY_PIN_DIRECT = new Byte((byte) 0x06);
-  static final Byte FEATURE_MODIFY_PIN_DIRECT = new Byte((byte) 0x07);
-  static final Byte FEATURE_MCT_READER_DIRECT = new Byte((byte) 0x08);
-  static final Byte FEATURE_IFD_PIN_PROPERTIES = new Byte((byte) 0x0a);
-
   public static class KeyboxName {
 
     public static KeyboxName SECURE_SIGNATURE_KEYPAIR = new KeyboxName(
@@ -143,11 +136,7 @@ public interface SignatureCard {
   public void unblockPIN(PINSpec pinSpec, PINProvider pukProvider)
           throws CancelledException, SignatureCardException, InterruptedException;
 
-  /**
-   * TODO
-   * @return
-   */
-  public boolean ifdSupportsFeature(byte feature);
+  public CCID getReader();
 
   /**
    * Sets the local for evtl. required callbacks (e.g. PINSpec)
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java b/smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java
new file mode 100644
index 00000000..2c56ce98
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.ccid;
+
+import at.gv.egiz.smcc.*;
+import javax.smartcardio.Card;
+import javax.smartcardio.CardException;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public interface CCID {
+
+
+  String[] FEATURES = new String[]{"NO_FEATURE",
+    "FEATURE_VERIFY_PIN_START",
+    "FEATURE_VERIFY_PIN_FINISH",
+    "FEATURE_MODIFY_PIN_START",
+    "FEATURE_MODIFY_PIN_FINISH",
+    "FEATURE_GET_KEY_PRESSED",
+    "FEATURE_VERIFY_PIN_DIRECT",
+    "FEATURE_MODIFY_PIN_DIRECT",
+    "FEATURE_MCT_READER_DIRECT",
+    "FEATURE_MCT_UNIVERSAL",
+    "FEATURE_IFD_PIN_PROPERTIES",
+    "FEATURE_ABORT",
+    "FEATURE_SET_SPE_MESSAGE",
+    "FEATURE_VERIFY_PIN_DIRECT_APP_ID",
+    "FEATURE_MODIFY_PIN_DIRECT_APP_ID",
+    "FEATURE_WRITE_DISPLAY",
+    "FEATURE_GET_KEY",
+    "FEATURE_IFD_DISPLAY_PROPERTIES"};
+  
+  Byte FEATURE_IFD_PIN_PROPERTIES = new Byte((byte) 10);
+  Byte FEATURE_MCT_READER_DIRECT = new Byte((byte) 8);
+  Byte FEATURE_MODIFY_PIN_DIRECT = new Byte((byte) 7);
+  Byte FEATURE_VERIFY_PIN_DIRECT = new Byte((byte) 6);
+  
+  Card connect() throws CardException;
+
+  boolean hasFeature(Byte feature);
+
+  /**
+   *
+   * @param feature the corresponding control code will be transmitted
+   * @param ctrlCommand
+   * @return
+   * @throws at.gv.egiz.smcc.SignatureCardException if feature is not supported
+   * or card communication fails
+   */
+  byte[] transmitControlCommand(Byte feature, byte[] ctrlCommand) throws SignatureCardException;
+
+  /**
+   * allow subclasses to override default (deal with reader bugs)
+   * @return
+   */
+  byte getbTimeOut();
+  byte getbTimeOut2();
+  byte getwPINMaxExtraDigitL();
+  byte getwPINMaxExtraDigitH();
+  byte getbEntryValidationCondition();
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ccid/DefaultReader.java b/smcc/src/main/java/at/gv/egiz/smcc/ccid/DefaultReader.java
new file mode 100644
index 00000000..2cc77dc9
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ccid/DefaultReader.java
@@ -0,0 +1,264 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.ccid;
+
+import at.gv.egiz.smcc.*;
+import at.gv.egiz.smcc.util.SMCCHelper;
+import java.util.HashMap;
+import java.util.Map;
+import javax.smartcardio.Card;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CardTerminal;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class DefaultReader implements CCID {
+
+  protected final static Log log = LogFactory.getLog(DefaultReader.class);
+
+  private static int CTL_CODE(int code) {
+    return 0x42000000 + code;
+  }
+
+  int IOCTL_GET_FEATURE_REQUEST = CTL_CODE(3400);
+
+
+  protected Card icc;
+  protected CardTerminal ct;
+
+  /**
+   * supported features and respective control codes
+   */
+  protected Map<Byte, Integer> features;
+
+  public DefaultReader(Card icc, CardTerminal ct) {
+    if (icc == null || ct == null) {
+      throw new NullPointerException("no card or card terminal provided");
+    }
+    this.icc = icc;
+    this.ct = ct;
+    features = queryFeatures(); 
+  }
+
+  public Card connect() throws CardException { //SignatureCardException {
+//      try {
+    icc = ct.connect("*");
+    return icc;
+//      } catch (CardException ex) {
+//        log.error(ex.getMessage(), ex);
+//        throw new SignatureCardException("Failed to connect to card: " + ex.getMessage());
+//      }
+  }
+
+  Map<Byte, Integer> queryFeatures() {
+    Map<Byte, Integer> features = new HashMap<Byte, Integer>();
+
+    if (icc == null) {
+      log.warn("invalid card handle, cannot query ifd features");
+    } else {
+      try {
+        if (log.isTraceEnabled()) {
+          log.trace("GET_FEATURE_REQUEST " +
+                  Integer.toHexString(IOCTL_GET_FEATURE_REQUEST) +
+                  " on " + ct.getName());
+        }
+        byte[] resp = icc.transmitControlCommand(IOCTL_GET_FEATURE_REQUEST,
+                new byte[]{});
+
+        if (log.isTraceEnabled()) {
+          log.trace("Response TLV " + SMCCHelper.toString(resp));
+        }
+        // tag
+        // length in bytes (always 4)
+        // control code value for supported feature (in big endian)
+        for (int i = 0; i < resp.length; i += 6) {
+          Byte feature = new Byte(resp[i]);
+          int ioctlBigEndian = (resp[i + 2] << 24) |
+                  (resp[i + 3] << 16) | (resp[i + 4] << 8) | resp[i + 5];
+          Integer ioctl = new Integer(ioctlBigEndian);
+          if (log.isInfoEnabled()) {
+            log.info("CCID supports " + FEATURES[feature.intValue()] +
+                    ": " + Integer.toHexString(ioctl.intValue()));
+          }
+          features.put(feature, ioctl);
+        }
+      } catch (CardException ex) {
+        log.debug("Failed to query CCID features: " + ex.getMessage());
+        log.trace(ex);
+        log.info("CCID does not support PINPad");
+      }
+    }
+    return features;
+  }
+
+  @Override
+  public boolean hasFeature(Byte feature) {
+    if (features != null) {
+      return features.containsKey(feature);
+    }
+    return false;
+  }
+
+//  public Integer getIOCTL(Byte feature) {
+//    if (features != null) {
+//      return features.get(feature);
+//    }
+//    return null;
+//  }
+
+  @Override
+  public byte[] transmitControlCommand(Byte feature, byte[] ctrlCommand)
+          throws SignatureCardException {
+    try {
+      if (!features.containsKey(feature)) {
+        throw new SignatureCardException(FEATURES[feature.intValue()] + " not supported");
+      }
+      int ioctl = features.get(feature);
+      if (log.isTraceEnabled()) {
+        log.trace("CtrlCommand (" + Integer.toHexString(ioctl) +
+                ")  " + SMCCHelper.toString(ctrlCommand));
+      }
+      byte[] resp = icc.transmitControlCommand(ioctl, ctrlCommand);
+      if (log.isTraceEnabled()) {
+        log.trace("CtrlCommand Response " + SMCCHelper.toString(resp));
+      }
+      return resp;
+    } catch (CardException ex) {
+      log.error(ex.getMessage());
+      throw new SignatureCardException("Failed to transmit CtrlCommand for " +
+              FEATURES[feature.intValue()]);
+    }
+  }
+
+
+  @Override
+  public byte getbTimeOut() {
+    return (byte) 0x3c;    // (max 1min on ReinerSCT),
+                           // 0x00=default, 0x1e = 30sec
+  }
+
+  @Override
+  public byte getbTimeOut2() {
+    return (byte) 0x00;    // default
+  }
+
+  @Override
+  public byte getwPINMaxExtraDigitL() {
+    return (byte) 0x12;
+  }
+
+  @Override
+  public byte getwPINMaxExtraDigitH() {
+    return (byte) 0x00;
+  }
+
+  @Override
+  public byte getbEntryValidationCondition() {
+    return (byte) 0x02;    // validation key pressed
+  }
+
+
+  //  protected byte ifdGetKeyPressed() throws CardException {
+//    if (ifdSupportsFeature(FEATURE_VERIFY_PIN_DIRECT)) {
+//
+//      Long controlCode = (Long) IFD_IOCTL.get(new Byte((byte) 0x05));
+//
+//      byte key = 0x00;
+//      while (key == 0x00) {
+//
+//        byte[] resp = card_.transmitControlCommand(controlCode.intValue(), new byte[] {});
+//
+//        if (resp != null && resp.length > 0) {
+//          key = resp[0];
+//        }
+//      }
+//
+//      System.out.println("Key: " + key);
+//
+//    }
+//
+//    return 0x00;
+//  }
+//
+//  protected byte[] ifdVerifyPINFinish() throws CardException {
+//    if (ifdSupportsFeature(FEATURE_VERIFY_PIN_DIRECT)) {
+//
+//      Long controlCode = (Long) IFD_IOCTL.get(new Byte((byte) 0x02));
+//
+//      byte[] resp = card_.transmitControlCommand(controlCode.intValue(), new byte[] {});
+//
+//      System.out.println("CommandResp: " + toString(resp));
+//
+//      return resp;
+//
+//    }
+//
+//    return null;
+//  }
+
+
+  /**
+   * assumes ifdSupportsVerifyPIN() == true
+   * @param pinVerifyStructure
+   * @return
+   * @throws javax.smartcardio.CardException
+   */
+//  protected byte[] ifdVerifyPIN(byte[] pinVerifyStructure) throws CardException {
+//
+////      Long ctrlCode = (Long) ifdFeatures.get(FEATURE_IFD_PIN_PROPERTIES);
+////      if (ctrlCode != null) {
+////        if (log.isTraceEnabled()) {
+////          log.trace("PIN_PROPERTIES CtrlCode " + Integer.toHexString(ctrlCode.intValue()));
+////        }
+////        byte[] resp = card_.transmitControlCommand(ctrlCode.intValue(), new byte[] {});
+////
+////        if (log.isTraceEnabled()) {
+////          log.trace("PIN_PROPERTIES Response " + SMCCHelper.toString(resp));
+////        }
+////      }
+//
+//
+//      Long ctrlCode = (Long) ifdFeatures.get(FEATURE_VERIFY_PIN_DIRECT);
+//      if (ctrlCode == null) {
+//        throw new NullPointerException("no CtrlCode for FEATURE_VERIFY_PIN_DIRECT");
+//      }
+//
+//      if (log.isTraceEnabled()) {
+//        log.trace("VERIFY_PIN_DIRECT CtrlCode " + Integer.toHexString(ctrlCode.intValue()) +
+//                ", PIN_VERIFY_STRUCTURE " + SMCCHelper.toString(pinVerifyStructure));
+//      }
+//      byte[] resp = card_.transmitControlCommand(ctrlCode.intValue(), pinVerifyStructure);
+//
+//      if (log.isTraceEnabled()) {
+//        log.trace("VERIFY_PIN_DIRECT Response " + SMCCHelper.toString(resp));
+//      }
+//      return resp;
+//  }
+
+//  protected Long getControlCode(Byte feature) {
+//    if (ifdFeatures != null) {
+//      return ifdFeatures.get(feature);
+//    }
+//    return null;
+//  }
+
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ccid/GemplusGemPCPinpad.java b/smcc/src/main/java/at/gv/egiz/smcc/ccid/GemplusGemPCPinpad.java
new file mode 100644
index 00000000..903b11fc
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ccid/GemplusGemPCPinpad.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.ccid;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardTerminal;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class GemplusGemPCPinpad extends DefaultReader {
+
+  protected final static Log log = LogFactory.getLog(GemplusGemPCPinpad.class);
+
+  public GemplusGemPCPinpad(Card icc, CardTerminal ct) {
+    super(icc, ct);
+    log.info("Initializing Gemplus GemPC Pinpad reader");
+    log.info("Gemplus GemPC Pinpad allows PINs to have 4-8 digits");
+
+  }
+
+  @Override
+  public byte getbTimeOut() {
+    return (byte) 0x3c;    // 0x00 default = 15sec
+                           // max 40sec (?)
+  }
+
+  @Override
+  public byte getbTimeOut2() {
+    return (byte) 0x00;    // 0x00 default = 15sec
+  }
+
+  @Override
+  public byte getwPINMaxExtraDigitL() {
+    return (byte) 0x08; 
+  }
+
+  @Override
+  public byte getwPINMaxExtraDigitH() {
+    return (byte) 0x04;
+  }
+
+  @Override
+  public byte getbEntryValidationCondition() {
+    return (byte) 0x02;    // validation key pressed
+  }
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ccid/ReaderFactory.java b/smcc/src/main/java/at/gv/egiz/smcc/ccid/ReaderFactory.java
new file mode 100644
index 00000000..2cfcef19
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ccid/ReaderFactory.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package at.gv.egiz.smcc.ccid;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardTerminal;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class ReaderFactory {
+
+  public static CCID getReader(Card icc, CardTerminal ct) {
+    if ("Gemplus GemPC Pinpad 00 00".equals(ct.getName())) {
+      return new GemplusGemPCPinpad(icc, ct);
+    }
+    return new DefaultReader(icc, ct);
+  }
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/ACOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/ACOSCardTest.java
new file mode 100644
index 00000000..5839d14a
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/ACOSCardTest.java
@@ -0,0 +1,135 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package at.gv.egiz.smcc;
+
+import at.gv.egiz.smcc.SignatureCard.KeyboxName;
+import at.gv.egiz.smcc.util.SMCCHelper;
+import java.util.List;
+import java.util.Locale;
+import javax.smartcardio.ResponseAPDU;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author clemens
+ */
+@Ignore
+public class ACOSCardTest {
+
+  static ACOSCard card;
+  static PINSpec infPin, decPin, sigPin;
+
+    public ACOSCardTest() {
+    }
+
+  @BeforeClass
+  public static void setUpClass() throws Exception {
+    SMCCHelper smccHelper = new SMCCHelper();
+      switch (smccHelper.getResultCode()) {
+        case SMCCHelper.CARD_FOUND:
+          SignatureCard sigCard = smccHelper.getSignatureCard(Locale.GERMAN);
+          if (sigCard instanceof ACOSCard) {
+            System.out.println("ACOS card found");
+            card = (ACOSCard) sigCard;
+            List<PINSpec> pinSpecs = card.getPINSpecs();
+            infPin = pinSpecs.get(ACOSCard.PINSPEC_INF);
+            decPin = pinSpecs.get(ACOSCard.PINSPEC_DEC);
+            sigPin = pinSpecs.get(ACOSCard.PINSPEC_SIG);
+          } else {
+            throw new Exception("not STARCOS card: " + sigCard.toString());
+          }
+          break;
+        default:
+          throw new Exception("no card found");
+      }
+  }
+
+  @AfterClass
+  public static void tearDownClass() throws Exception {
+  }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+
+
+  /**
+   * Test of verifyPIN method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testVerifyPIN_pinpad() throws Exception {
+    System.out.println("verifyPIN (pinpad)");
+    assertNotNull(card);
+
+    card.verifyPIN(decPin, new PINProvider() {
+
+      @Override
+      public char[] providePIN(PINSpec spec, int retries) {
+        return null;
+      }
+    });
+  }
+
+  /**
+   * Test of verifyPIN method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testVerifyPIN_internal() throws Exception {
+    System.out.println("verifyPIN (internal)");
+    assertNotNull(card);
+
+    card.reset();
+
+    card.getCard().beginExclusive();
+
+    // 0x6700 without sending an APDU prior to send CtrlCmd
+    System.out.println("WARNING: this command will fail if no card " +
+            "communication took place prior to sending the CtrlCommand");
+    int retries = card.verifyPIN(decPin.getKID(), null); //"1397".toCharArray());
+
+    System.out.println("VERIFY PIN returned " + retries);
+    card.getCard().endExclusive();
+  }
+
+  /**
+   * Test of changePIN method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testChangePIN() throws Exception {
+    System.out.println("changePIN");
+    assertNotNull(card);
+
+    card.reset();
+    int retries = card.changePIN(decPin.getKID(), null, null);
+
+    System.out.println("CHANGE PIN returned " + retries);
+  }
+
+  /**
+   * Test of reset method, of class STARCOSCard.
+   */
+  @Test
+  public void testReset() throws Exception {
+    System.out.println("reset");
+    assertNotNull(card);
+    card.reset();
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
new file mode 100644
index 00000000..9be8db00
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
@@ -0,0 +1,267 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package at.gv.egiz.smcc;
+
+import at.gv.egiz.smcc.SignatureCard.KeyboxName;
+import at.gv.egiz.smcc.util.SMCCHelper;
+import java.util.List;
+import java.util.Locale;
+import javax.smartcardio.ResponseAPDU;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author clemens
+ */
+@Ignore
+public class STARCOSCardTest {
+
+  static STARCOSCard card;
+  static PINSpec cardPin, ssPin;
+
+    public STARCOSCardTest() {
+    }
+
+  @BeforeClass
+  public static void setUpClass() throws Exception {
+    SMCCHelper smccHelper = new SMCCHelper();
+      switch (smccHelper.getResultCode()) {
+        case SMCCHelper.CARD_FOUND:
+          SignatureCard sigCard = smccHelper.getSignatureCard(Locale.GERMAN);
+          if (sigCard instanceof STARCOSCard) {
+            System.out.println("STARCOS card found");
+            card = (STARCOSCard) sigCard;
+            List<PINSpec> pinSpecs = card.getPINSpecs();
+            cardPin = pinSpecs.get(STARCOSCard.PINSPEC_CARD);
+            ssPin = pinSpecs.get(STARCOSCard.PINSPEC_SS);
+
+          } else {
+            throw new Exception("not STARCOS card: " + sigCard.toString());
+          }
+          break;
+        default:
+          throw new Exception("no card found");
+      }
+  }
+
+  @AfterClass
+  public static void tearDownClass() throws Exception {
+  }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+  /**
+   * Test of getCertificate method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testGetCertificate() throws Exception {
+    System.out.println("getCertificate");
+    KeyboxName keyboxName = null;
+    STARCOSCard instance = new STARCOSCard();
+    byte[] expResult = null;
+    byte[] result = instance.getCertificate(keyboxName);
+    assertEquals(expResult, result);
+    // TODO review the generated test code and remove the default call to fail.
+    fail("The test case is a prototype.");
+  }
+
+  /**
+   * Test of getInfobox method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testGetInfobox() throws Exception {
+    System.out.println("getInfobox");
+    String infobox = "";
+    PINProvider provider = null;
+    String domainId = "";
+    STARCOSCard instance = new STARCOSCard();
+    byte[] expResult = null;
+    byte[] result = instance.getInfobox(infobox, provider, domainId);
+    assertEquals(expResult, result);
+    // TODO review the generated test code and remove the default call to fail.
+    fail("The test case is a prototype.");
+  }
+
+  /**
+   * Test of createSignature method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testCreateSignature() throws Exception {
+    System.out.println("createSignature");
+    byte[] hash = null;
+    KeyboxName keyboxName = null;
+    PINProvider provider = null;
+    STARCOSCard instance = new STARCOSCard();
+    byte[] expResult = null;
+    byte[] result = instance.createSignature(hash, keyboxName, provider);
+    assertEquals(expResult, result);
+    // TODO review the generated test code and remove the default call to fail.
+    fail("The test case is a prototype.");
+  }
+
+  /**
+   * Test of selectFileFID method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testSelectFileFID() throws Exception {
+    System.out.println("selectFileFID");
+    byte[] fid = null;
+    STARCOSCard instance = new STARCOSCard();
+    ResponseAPDU expResult = null;
+    ResponseAPDU result = instance.selectFileFID(fid);
+    assertEquals(expResult, result);
+    // TODO review the generated test code and remove the default call to fail.
+    fail("The test case is a prototype.");
+  }
+
+  /**
+   * Test of verifyPIN method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testVerifyPIN_pinpad() throws Exception {
+    System.out.println("verifyPIN (pinpad)");
+    assertNotNull(card);
+
+    card.verifyPIN(cardPin, new PINProvider() {
+
+      @Override
+      public char[] providePIN(PINSpec spec, int retries) {
+        return null;
+      }
+    });
+  }
+
+  /**
+   * Test of verifyPIN method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testVerifyPIN_internal() throws Exception {
+    System.out.println("verifyPIN (internal)");
+    assertNotNull(card);
+
+    card.reset();
+
+    card.getCard().beginExclusive();
+
+    // 0x6700 without sending an APDU prior to send CtrlCmd
+    System.out.println("WARNING: this command will fail if no card " +
+            "communication took place prior to sending the CtrlCommand");
+    int retries = card.verifyPIN(cardPin.getKID(), null); //"1397".toCharArray());
+
+    System.out.println("VERIFY PIN returned " + retries);
+    card.getCard().endExclusive();
+  }
+
+  /**
+   * Test of verifyPIN method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testVerifyPIN_byte() throws Exception {
+    System.out.println("verifyPIN");
+    byte kid = 0;
+    STARCOSCard instance = new STARCOSCard();
+    int expResult = 0;
+    int result = instance.verifyPIN(kid);
+    assertEquals(expResult, result);
+    // TODO review the generated test code and remove the default call to fail.
+    fail("The test case is a prototype.");
+  }
+
+  /**
+   * Test of changePIN method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testChangePIN() throws Exception {
+    System.out.println("changePIN");
+    assertNotNull(card);
+
+    card.reset();
+    int retries = card.changePIN(cardPin.getKID(), null, null);
+
+    System.out.println("CHANGE PIN returned " + retries);
+  }
+
+  /**
+   * Test of activatePIN method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testActivatePIN() throws Exception {
+    System.out.println("activatePIN");
+    assertNotNull(card);
+
+    card.reset();
+    card.activatePIN(cardPin, new PINProvider() {
+
+      @Override
+      public char[] providePIN(PINSpec spec, int retries) throws CancelledException, InterruptedException {
+        return null;
+      }
+    });
+  }
+
+  /**
+   * Test of encodePINBlock method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testEncodePINBlock() throws Exception {
+    System.out.println("encodePINBlock");
+    char[] pin = null;
+    STARCOSCard instance = new STARCOSCard();
+    byte[] expResult = null;
+    byte[] result = instance.encodePINBlock(pin);
+    assertEquals(expResult, result);
+    // TODO review the generated test code and remove the default call to fail.
+    fail("The test case is a prototype.");
+  }
+
+  /**
+   * Test of reset method, of class STARCOSCard.
+   */
+  @Test
+  public void testReset() throws Exception {
+    System.out.println("reset");
+    assertNotNull(card);
+    card.reset();
+  }
+
+  /**
+   * Test of toString method, of class STARCOSCard.
+   */
+  @Test
+  @Ignore
+  public void testToString() {
+    System.out.println("toString");
+    STARCOSCard instance = new STARCOSCard();
+    String expResult = "";
+    String result = instance.toString();
+    assertEquals(expResult, result);
+    // TODO review the generated test code and remove the default call to fail.
+    fail("The test case is a prototype.");
+  }
+
+}
\ No newline at end of file
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractPINProvider.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractPINProvider.java
index e32f08d4..e2499023 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractPINProvider.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractPINProvider.java
@@ -35,7 +35,7 @@ public abstract class AbstractPINProvider implements PINProvider, ActionListener
 
   protected String action;
 
-  private boolean actionPerformed;
+  protected boolean actionPerformed;
 
 //  protected void waitForAction() throws InterruptedException {
 //    super.wait();
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PINProviderFactory.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PINProviderFactory.java
index 670b71dc..ce1b2d00 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PINProviderFactory.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PINProviderFactory.java
@@ -18,6 +18,7 @@
 package at.gv.egiz.bku.smccstal;
 
 import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.smcc.ccid.CCID;
 import at.gv.egiz.smcc.PINProvider;
 import at.gv.egiz.smcc.SignatureCard;
 import at.gv.egiz.stal.signedinfo.SignedInfoType;
@@ -32,7 +33,7 @@ public abstract class PINProviderFactory {
   
   public static PINProviderFactory getInstance(SignatureCard forCard,
           BKUGUIFacade gui) {
-    if (forCard.ifdSupportsFeature(SignatureCard.FEATURE_VERIFY_PIN_DIRECT)) {
+    if (forCard.getReader().hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
       return new PinpadPINProviderFactory(gui);
     } else {
       return new SoftwarePINProviderFactory(gui);
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PinpadPINProviderFactory.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PinpadPINProviderFactory.java
index 55321b72..c109ceba 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PinpadPINProviderFactory.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PinpadPINProviderFactory.java
@@ -21,9 +21,8 @@ import at.gv.egiz.bku.gui.BKUGUIFacade;
 import at.gv.egiz.smcc.CancelledException;
 import at.gv.egiz.smcc.PINProvider;
 import at.gv.egiz.smcc.PINSpec;
-import at.gv.egiz.stal.HashDataInput;
 import at.gv.egiz.stal.signedinfo.SignedInfoType;
-import java.util.List;
+import java.security.DigestException;
 
 /**
  *
@@ -51,8 +50,9 @@ public class PinpadPINProviderFactory extends PINProviderFactory {
 
 //    protected BKUGUIFacade gui;
     protected SecureViewer viewer;
+    protected ViewerThread viewerThread;
     protected SignedInfoType signedInfo;
-    protected List<HashDataInput> hashDataInputs;
+
 
     private SignaturePinProvider(SecureViewer viewer,
             SignedInfoType signedInfo) {
@@ -60,61 +60,92 @@ public class PinpadPINProviderFactory extends PINProviderFactory {
       this.signedInfo = signedInfo;
     }
 
+    protected class ViewerThread extends Thread {
+
+      PINSpec pinSpec;
+      int retries;
+
+      public ViewerThread(PINSpec pinSpec, int retries) {
+        this.pinSpec = pinSpec;
+        this.retries = retries;
+      }
+
+      @Override
+      public void run() {
+
+        try {
+
+          gui.showPinpadSignaturePINDialog(pinSpec, retries,
+              SignaturePinProvider.this, "secureViewer");
+
+          while (true) {
+            waitForAction();
+
+            if ("secureViewer".equals(action)) {
+              viewer.displayDataToBeSigned(signedInfo,
+                      SignaturePinProvider.this, "pinEntry");
+            } else if ("pinEntry".equals(action)) {
+              gui.showPinpadSignaturePINDialog(pinSpec, retries,
+                      SignaturePinProvider.this, "secureViewer");
+            } else {
+              log.error("unsupported action command: " + action);
+            }
+          }
+
+        } catch (DigestException ex) {
+          log.error("Bad digest value: " + ex.getMessage());
+          gui.showErrorDialog(BKUGUIFacade.ERR_INVALID_HASH,
+                  new Object[]{ex.getMessage()});
+        } catch (InterruptedException ex) {
+          log.info("pinpad secure viewer thread interrupted");
+        } catch (Exception ex) {
+          log.error("Could not display hashdata inputs: " +
+                  ex.getMessage());
+          gui.showErrorDialog(BKUGUIFacade.ERR_DISPLAY_HASHDATA,
+                  new Object[]{ex.getMessage()});
+        }
+      }
+    }
+
     @Override
     public char[] providePIN(PINSpec spec, int retries)
             throws CancelledException, InterruptedException {
 
-      showPinpadPINDialog(retries, spec);
+      if (viewerThread != null) {
+        updateViewerThread(retries);
+      } else {
+        viewerThread = new ViewerThread(spec, -1);
+        viewerThread.start();
+      }
+//      if (viewerThread != null) {
+//        log.trace("interrupt old secure viewer thread");
+//        viewerThread.interrupt();
+//      }
+//      viewerThread = new ViewerThread(spec, (retry) ? retries : -1);
+//      log.trace("start new secure viewer thread");
+//      viewerThread.start();
+
       retry = true;
       return null;
-
-//      do {
-//        waitForAction();
-//        gui.showWaitDialog(null);
-//
-//        if ("hashData".equals(action)) {
-//          // show pin dialog in background
-//          gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
-//                  this, "sign",
-//                  this, "cancel",
-//                  this, "hashData");
-//
-//          viewer.displayDataToBeSigned(signedInfo.getReference());
-//
-//        } else if ("sign".equals(action)) {
-//          retry = true;
-//          return gui.getPin();
-//        } else if ("hashDataDone".equals(action)) {
-//          gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
-//                  this, "sign",
-//                  this, "cancel",
-//                  this, "hashData");
-//        } else if ("cancel".equals(action) ||
-//                "error".equals(action)) {
-//          throw new CancelledException(spec.getLocalizedName() +
-//                  " entry cancelled");
-//        }
-//      } while (true);
     }
 
-    private void showPinpadPINDialog(int retries, PINSpec pinSpec) {
-      String title, message;
-      Object[] params;
-      if (retry) {
-        title = BKUGUIFacade.TITLE_RETRY;
-        message = BKUGUIFacade.MESSAGE_RETRIES;
-        params = new Object[]{String.valueOf(retries)};
-      } else {
-        title = BKUGUIFacade.TITLE_SIGN;
-        message = BKUGUIFacade.MESSAGE_ENTERPIN_PINPAD;
-        String pinSize = String.valueOf(pinSpec.getMinLength());
-        if (pinSpec.getMinLength() != pinSpec.getMaxLength()) {
-          pinSize += "-" + pinSpec.getMaxLength();
-        }
-        params = new Object[]{pinSpec.getLocalizedName(), pinSize};
-      }
-      gui.showMessageDialog(title, message, params);
+    private synchronized void updateViewerThread(int retries) {
+      log.trace("update viewer thread");
+      viewerThread.retries = retries;
+      action = "pinEntry";
+      actionPerformed = true;
+      notify();
     }
+
+
+//    @Override
+//    protected void finalize() throws Throwable {
+//      if (viewerThread != null) {
+//        viewerThread.interrupt();
+//      }
+//      log.info("finalizing Pinpad SignaturePinProvider");
+//      super.finalize();
+//    }
   }
 
   class CardPinProvider extends AbstractPINProvider {
@@ -151,5 +182,5 @@ public class PinpadPINProviderFactory extends PINProviderFactory {
       gui.showMessageDialog(title, message, params);
     }
   }
-}
+  }
 
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SecureViewer.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SecureViewer.java
index c395679a..2ee37dc1 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SecureViewer.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SecureViewer.java
@@ -14,12 +14,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package at.gv.egiz.bku.smccstal;
 
-import at.gv.egiz.stal.signedinfo.ReferenceType;
+import at.gv.egiz.stal.signedinfo.SignedInfoType;
+import java.awt.event.ActionListener;
 import java.security.DigestException;
-import java.util.List;
 
 /**
  *
@@ -38,7 +37,7 @@ public interface SecureViewer {
    * (or any other digest computation error occurs)
    * @throws java.lang.Exception
    */
-  void displayDataToBeSigned(List<ReferenceType> signedReferences) 
-          throws DigestException, Exception;
-
+  void displayDataToBeSigned(SignedInfoType signedInfo,
+          ActionListener okListener, String okCommand)
+        throws DigestException, Exception;
 }
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
index ac510f38..7a4f6572 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
@@ -33,7 +33,6 @@ import org.apache.commons.logging.LogFactory;
 import at.gv.egiz.smcc.CancelledException;
 import at.gv.egiz.smcc.LockedException;
 import at.gv.egiz.smcc.NotActivatedException;
-import at.gv.egiz.smcc.PINProvider;
 import at.gv.egiz.smcc.SignatureCard;
 import at.gv.egiz.smcc.SignatureCardException;
 import at.gv.egiz.smcc.SignatureCard.KeyboxName;
@@ -47,11 +46,12 @@ import at.gv.egiz.stal.signedinfo.ObjectFactory;
 import at.gv.egiz.stal.signedinfo.SignedInfoType;
 import at.gv.egiz.stal.util.JCEAlgorithmNames;
 
-public abstract class SignRequestHandler extends AbstractRequestHandler implements SecureViewer {
+public class SignRequestHandler extends AbstractRequestHandler {
 
     private static Log log = LogFactory.getLog(SignRequestHandler.class);
     private static JAXBContext jaxbContext;
     private PINProviderFactory pinProviderFactory;
+    private SecureViewer secureViewer;
     
     static {
         try {
@@ -61,6 +61,10 @@ public abstract class SignRequestHandler extends AbstractRequestHandler implemen
         }
     }
 
+    public SignRequestHandler(SecureViewer secureViewer) {
+      this.secureViewer = secureViewer;
+    }
+
     @SuppressWarnings("unchecked")
     @Override
     public STALResponse handleRequest(STALRequest request) throws InterruptedException {
@@ -85,10 +89,8 @@ public abstract class SignRequestHandler extends AbstractRequestHandler implemen
                 if (pinProviderFactory == null) {
                   pinProviderFactory = PINProviderFactory.getInstance(card, gui);
                 }
-                PINProvider pinProvider = pinProviderFactory.
-                        getSignaturePINProvider(this, si.getValue());
-                
-                byte[] resp = card.createSignature(md.digest(), kb, pinProvider);
+                byte[] resp = card.createSignature(md.digest(), kb, 
+                        pinProviderFactory.getSignaturePINProvider(secureViewer, si.getValue()));
                 if (resp == null) {
                     return new ErrorResponse(6001);
                 }
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SoftwarePINProviderFactory.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SoftwarePINProviderFactory.java
index 54a34280..7d36c2c3 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SoftwarePINProviderFactory.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SoftwarePINProviderFactory.java
@@ -49,7 +49,6 @@ public class SoftwarePINProviderFactory extends PINProviderFactory {
 //    protected BKUGUIFacade gui;
     protected SecureViewer viewer;
     protected SignedInfoType signedInfo;
-    protected List<HashDataInput> hashDataInputs;
 
     private SignaturePinProvider(SecureViewer viewer,
             SignedInfoType signedInfo) {
@@ -64,22 +63,14 @@ public class SoftwarePINProviderFactory extends PINProviderFactory {
       gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
               this, "sign",
               this, "cancel",
-              this, "hashData");
+              this, "secureViewer");
 
       do {
         waitForAction();
-        gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
-                BKUGUIFacade.MESSAGE_WAIT);
-
-        if ("hashData".equals(action)) {
-          // show pin dialog in background
-          gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
-                  this, "sign",
-                  this, "cancel",
-                  this, "hashData");
 
+        if ("secureViewer".equals(action)) {
           try {
-            viewer.displayDataToBeSigned(signedInfo.getReference());
+            viewer.displayDataToBeSigned(signedInfo, this, "pinEntry");
           } catch (DigestException ex) {
             log.error("Bad digest value: " + ex.getMessage());
             gui.showErrorDialog(BKUGUIFacade.ERR_INVALID_HASH,
@@ -93,17 +84,23 @@ public class SoftwarePINProviderFactory extends PINProviderFactory {
                     this, "error");
           }
         } else if ("sign".equals(action)) {
+          gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+                BKUGUIFacade.MESSAGE_WAIT);
           retry = true;
           return gui.getPin();
-        } else if ("hashDataDone".equals(action)) {
+        } else if ("pinEntry".equals(action)) {
           gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
                   this, "sign",
                   this, "cancel",
-                  this, "hashData");
+                  this, "secureViewer");
         } else if ("cancel".equals(action) ||
                 "error".equals(action)) {
+          gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+                BKUGUIFacade.MESSAGE_WAIT);
           throw new CancelledException(spec.getLocalizedName() +
                   " entry cancelled");
+        } else {
+          log.error("unknown action command " + action);
         }
       } while (true);
     }
diff --git a/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java b/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
index 51dfe0da..1c1cb833 100644
--- a/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
+++ b/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
@@ -1,5 +1,6 @@
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.ccid.CCID;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
@@ -109,10 +110,10 @@ public class AbstractSMCCSTALTest extends AbstractSMCCSTAL implements
       }
 
       @Override
-      public boolean ifdSupportsFeature(byte feature) {
-        return false;
+      public CCID getReader() {
+        throw new UnsupportedOperationException("Not supported yet.");
       }
-     
+
    };
     return false;
   }
-- 
cgit v1.2.3


From 6cb4a071eab9a3b8cf78b8ec7e407aa148f2d038 Mon Sep 17 00:00:00 2001
From: mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Wed, 1 Jul 2009 13:03:41 +0000
Subject: Major refactoring of SMCC

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@381 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../smccstal/ext/PINManagementRequestHandler.java  |  306 ++----
 .../java/at/gv/egiz/bku/local/app/BKULauncher.java |    3 -
 BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.wsdl   |    2 +-
 smcc/pom.xml                                       |    5 +
 smcc/src/main/java/at/gv/egiz/smcc/ACOS04Card.java |   30 -
 smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java   | 1089 ++++++++++---------
 .../at/gv/egiz/smcc/AbstractSignatureCard.java     |  541 +---------
 .../at/gv/egiz/smcc/CardNotSupportedException.java |   44 +-
 .../java/at/gv/egiz/smcc/ChangePINProvider.java    |   33 +-
 .../gv/egiz/smcc/ChangeReferenceDataAPDUSpec.java  |   95 ++
 .../at/gv/egiz/smcc/ExclSignatureCardProxy.java    |  110 ++
 smcc/src/main/java/at/gv/egiz/smcc/Exclusive.java  |   28 +
 .../main/java/at/gv/egiz/smcc/LogCardChannel.java  |  129 +++
 .../at/gv/egiz/smcc/NewReferenceDataAPDUSpec.java  |   60 ++
 .../at/gv/egiz/smcc/PINConfirmationException.java  |    2 +
 .../java/at/gv/egiz/smcc/PINFormatException.java   |    2 +
 .../java/at/gv/egiz/smcc/PINMgmtSignatureCard.java |   41 +
 .../gv/egiz/smcc/PINOperationAbortedException.java |    2 +
 .../src/main/java/at/gv/egiz/smcc/PINProvider.java |   44 +-
 smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java    |   34 +-
 .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java | 1110 ++++++++------------
 smcc/src/main/java/at/gv/egiz/smcc/SWCard.java     |   61 +-
 .../main/java/at/gv/egiz/smcc/SignatureCard.java   |   69 +-
 .../at/gv/egiz/smcc/SignatureCardException.java    |   45 +-
 .../java/at/gv/egiz/smcc/SignatureCardFactory.java |   49 +-
 .../main/java/at/gv/egiz/smcc/VerifyAPDUSpec.java  |  200 ++++
 smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java  |   28 +-
 .../java/at/gv/egiz/smcc/ccid/DefaultReader.java   |  357 ++++++-
 .../at/gv/egiz/smcc/conf/SMCCConfiguration.java    |    2 +
 .../java/at/gv/egiz/smcc/util/ISO7816Utils.java    |  359 +++++++
 .../egiz/smcc/util/TransparentFileInputStream.java |  194 ++++
 .../test/java/at/gv/egiz/smcc/ACOSCardTest.java    |  135 ---
 .../test/java/at/gv/egiz/smcc/AbstractAppl.java    |   56 +
 smcc/src/test/java/at/gv/egiz/smcc/CardAppl.java   |   43 +
 .../test/java/at/gv/egiz/smcc/CardChannelEmul.java |   52 +
 smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java   |  106 ++
 .../java/at/gv/egiz/smcc/CardTerminalEmul.java     |   64 ++
 smcc/src/test/java/at/gv/egiz/smcc/CardTest.java   |  298 ++++++
 .../test/java/at/gv/egiz/smcc/CardTestSuite.java   |   29 +
 smcc/src/test/java/at/gv/egiz/smcc/File.java       |   38 +
 smcc/src/test/java/at/gv/egiz/smcc/PIN.java        |   41 +
 .../test/java/at/gv/egiz/smcc/STARCOSCardTest.java |  267 -----
 .../egiz/smcc/TransparentFileInputStreamTest.java  |  208 ++++
 .../test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java |  151 +++
 .../test/java/at/gv/egiz/smcc/acos/A03ApplSIG.java |   77 ++
 .../at/gv/egiz/smcc/acos/A03CardChannelEmul.java   |   98 ++
 .../java/at/gv/egiz/smcc/acos/A03CardEmul.java     |   36 +
 .../java/at/gv/egiz/smcc/acos/A03CardTest.java     |   91 ++
 .../test/java/at/gv/egiz/smcc/acos/A04ApplDEC.java |  296 ++++++
 .../test/java/at/gv/egiz/smcc/acos/A04ApplSIG.java |   87 ++
 .../at/gv/egiz/smcc/acos/A04CardChannelEmul.java   |   75 ++
 .../java/at/gv/egiz/smcc/acos/A04CardEmul.java     |   37 +
 .../java/at/gv/egiz/smcc/acos/A04CardTest.java     |  143 +++
 .../test/java/at/gv/egiz/smcc/acos/ACOSAppl.java   |   79 ++
 .../java/at/gv/egiz/smcc/acos/ACOSApplDEC.java     |  334 ++++++
 .../java/at/gv/egiz/smcc/acos/ACOSApplSIG.java     |  302 ++++++
 .../at/gv/egiz/smcc/acos/ACOSCardChannelEmul.java  |  261 +++++
 .../java/at/gv/egiz/smcc/acos/ACOSCardEmul.java    |   38 +
 .../java/at/gv/egiz/smcc/acos/ACOSCardTest.java    |  243 +++++
 .../at/gv/egiz/smcc/acos/ACOSCardTestSuite.java    |   27 +
 .../java/at/gv/egiz/smcc/starcos/STARCOSAppl.java  |   95 ++
 .../starcos/STARCOSApplGewoehnlicheSignatur.java   |  332 ++++++
 .../gv/egiz/smcc/starcos/STARCOSApplInfobox.java   |  160 +++
 .../smcc/starcos/STARCOSApplSichereSignatur.java   |  347 ++++++
 .../egiz/smcc/starcos/STARCOSCardChannelEmul.java  |  375 +++++++
 .../at/gv/egiz/smcc/starcos/STARCOSCardEmul.java   |   50 +
 .../at/gv/egiz/smcc/starcos/STARCOSCardTest.java   |  297 ++++++
 .../at/gv/egiz/smcc/util/ISO7816UtilsTest.java     |  175 +++
 .../bku/smccstal/InfoBoxReadRequestHandler.java    |    4 +-
 .../java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java |   35 +-
 70 files changed, 8026 insertions(+), 2630 deletions(-)
 delete mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ACOS04Card.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ChangeReferenceDataAPDUSpec.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ExclSignatureCardProxy.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/Exclusive.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/LogCardChannel.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/NewReferenceDataAPDUSpec.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/PINMgmtSignatureCard.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/VerifyAPDUSpec.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/util/ISO7816Utils.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/util/TransparentFileInputStream.java
 delete mode 100644 smcc/src/test/java/at/gv/egiz/smcc/ACOSCardTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/AbstractAppl.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/CardAppl.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/CardChannelEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/CardTerminalEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/CardTestSuite.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/File.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/PIN.java
 delete mode 100644 smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/TransparentFileInputStreamTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplSIG.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardChannelEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A04ApplDEC.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A04ApplSIG.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardChannelEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSAppl.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplDEC.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplSIG.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardChannelEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTestSuite.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSAppl.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplGewoehnlicheSignatur.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplInfobox.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplSichereSignatur.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardChannelEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/util/ISO7816UtilsTest.java

(limited to 'smcc/src/test/java')

diff --git a/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/PINManagementRequestHandler.java b/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/PINManagementRequestHandler.java
index 72a7c4cc..e0b09d63 100644
--- a/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/PINManagementRequestHandler.java
+++ b/BKUAppletExt/src/main/java/at/gv/egiz/bku/smccstal/ext/PINManagementRequestHandler.java
@@ -16,41 +16,32 @@
  */
 package at.gv.egiz.bku.smccstal.ext;
 
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 import at.gv.egiz.bku.gui.BKUGUIFacade;
 import at.gv.egiz.bku.gui.PINManagementGUIFacade;
-import at.gv.egiz.bku.gui.PINManagementGUIFacade.DIALOG;
 import at.gv.egiz.bku.gui.PINManagementGUIFacade.STATUS;
 import at.gv.egiz.bku.smccstal.AbstractRequestHandler;
-import at.gv.egiz.bku.smccstal.PINProviderFactory;
 import at.gv.egiz.smcc.CancelledException;
 import at.gv.egiz.smcc.LockedException;
 import at.gv.egiz.smcc.NotActivatedException;
 import at.gv.egiz.smcc.PINConfirmationException;
 import at.gv.egiz.smcc.PINFormatException;
+import at.gv.egiz.smcc.PINMgmtSignatureCard;
 import at.gv.egiz.smcc.PINOperationAbortedException;
-import at.gv.egiz.smcc.PINProvider;
 import at.gv.egiz.smcc.PINSpec;
-import at.gv.egiz.smcc.STARCOSCard;
-import at.gv.egiz.smcc.SignatureCard;
 import at.gv.egiz.smcc.SignatureCardException;
 import at.gv.egiz.smcc.TimeoutException;
-import at.gv.egiz.smcc.VerificationFailedException;
-import at.gv.egiz.smcc.util.SMCCHelper;
+import at.gv.egiz.smcc.PINMgmtSignatureCard.PIN_STATE;
 import at.gv.egiz.stal.ErrorResponse;
 import at.gv.egiz.stal.STALRequest;
 import at.gv.egiz.stal.STALResponse;
 import at.gv.egiz.stal.ext.PINManagementRequest;
 import at.gv.egiz.stal.ext.PINManagementResponse;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import javax.smartcardio.Card;
-import javax.smartcardio.CardChannel;
-import javax.smartcardio.CardException;
-import javax.smartcardio.CommandAPDU;
-import javax.smartcardio.ResponseAPDU;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 
 /**
  *
@@ -60,23 +51,36 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
 
   protected static final Log log = LogFactory.getLog(PINManagementRequestHandler.class);
 
-  protected Map<PINSpec, STATUS> pinStatuses;
+  protected Map<PINSpec, STATUS> pinStates = new HashMap<PINSpec, STATUS>();
 
   @Override
   public STALResponse handleRequest(STALRequest request) throws InterruptedException {
     if (request instanceof PINManagementRequest) {
 
-      PINManagementGUIFacade gui = (PINManagementGUIFacade) this.gui;
+    PINManagementGUIFacade gui = (PINManagementGUIFacade) this.gui;
+      
+    PINSpec selectedPIN = null;
 
-      PINSpec selectedPIN = null;
+    try {
 
-      try {
+      if (card instanceof PINMgmtSignatureCard) {
 
-      pinStatuses = getPINStatuses();
-      
-      gui.showPINManagementDialog(pinStatuses,
-              this, "activate_enterpin", "change_enterpin", "unblock_enterpuk", "verify_enterpin",
-              this, "cancel");
+        // update all PIN states
+        for (PINSpec pinSpec : ((PINMgmtSignatureCard) card).getPINSpecs()) {
+          updatePINState(pinSpec, STATUS.UNKNOWN);
+        }
+        
+        gui.showPINManagementDialog(pinStates, this, "activate_enterpin",
+              "change_enterpin", "unblock_enterpuk", "verify_enterpin", this,
+              "cancel");
+        
+      } else {
+        
+        // card does not support PIN management
+        gui.showErrorDialog(PINManagementGUIFacade.ERR_UNSUPPORTED_CARD,
+              null, this, "cancel");
+        
+      }
 
       while (true) {
 
@@ -97,9 +101,9 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
           try {
             if ("activate_enterpin".equals(actionCommand)) {
               log.info("activate " + selectedPIN.getLocalizedName());
-              card.activatePIN(selectedPIN,
+              ((PINMgmtSignatureCard) card).activatePIN(selectedPIN,
                       ppfac.getActivatePINProvider());
-              updatePINStatus(selectedPIN, STATUS.ACTIV);
+              updatePINState(selectedPIN, STATUS.ACTIV);
               gui.showMessageDialog(PINManagementGUIFacade.TITLE_ACTIVATE_SUCCESS,
                       PINManagementGUIFacade.MESSAGE_ACTIVATE_SUCCESS,
                       new Object[] {selectedPIN.getLocalizedName()},
@@ -107,9 +111,9 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
               waitForAction();
             } else if ("change_enterpin".equals(actionCommand)) {
               log.info("change " + selectedPIN.getLocalizedName());
-              card.changePIN(selectedPIN, 
+              ((PINMgmtSignatureCard) card).changePIN(selectedPIN, 
                       ppfac.getChangePINProvider());
-              updatePINStatus(selectedPIN, STATUS.ACTIV);
+              updatePINState(selectedPIN, STATUS.ACTIV);
               gui.showMessageDialog(PINManagementGUIFacade.TITLE_CHANGE_SUCCESS,
                       PINManagementGUIFacade.MESSAGE_CHANGE_SUCCESS,
                       new Object[] {selectedPIN.getLocalizedName()},
@@ -118,13 +122,13 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
 
             } else if ("unblock_enterpuk".equals(actionCommand)) {
               log.info("unblock " + selectedPIN.getLocalizedName());
-              card.unblockPIN(selectedPIN,
+              ((PINMgmtSignatureCard) card).unblockPIN(selectedPIN,
                       ppfac.getUnblockPINProvider());
             } else if ("verify_enterpin".equals(actionCommand)) {
               log.info("verify " + selectedPIN.getLocalizedName());
-              card.verifyPIN(selectedPIN,
+              ((PINMgmtSignatureCard) card).verifyPIN(selectedPIN,
                       ppfac.getVerifyPINProvider());
-              updatePINStatus(selectedPIN, STATUS.ACTIV);
+              updatePINState(selectedPIN, STATUS.ACTIV);
             }
           } catch (CancelledException ex) {
             log.trace("cancelled");
@@ -137,14 +141,14 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
             waitForAction();
           } catch (LockedException ex) {
             log.error(selectedPIN.getLocalizedName() + " locked");
-            updatePINStatus(selectedPIN, STATUS.BLOCKED);
+            updatePINState(selectedPIN, STATUS.BLOCKED);
             gui.showErrorDialog(PINManagementGUIFacade.ERR_LOCKED,
                     new Object[] {selectedPIN.getLocalizedName()},
                     this, null);
             waitForAction();
           } catch (NotActivatedException ex) {
             log.error(selectedPIN.getLocalizedName() + " not active");
-            updatePINStatus(selectedPIN, STATUS.NOT_ACTIV);
+            updatePINState(selectedPIN, STATUS.NOT_ACTIV);
             gui.showErrorDialog(PINManagementGUIFacade.ERR_NOT_ACTIVE,
                     new Object[] {selectedPIN.getLocalizedName()},
                     this, null);
@@ -176,7 +180,7 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
         } // end if
 
         selectedPIN = null;
-        gui.showPINManagementDialog(pinStatuses,
+        gui.showPINManagementDialog(pinStates,
                 this, "activate_enterpin", "change_enterpin", "unblock_enterpuk", "verify_enterpin",
                 this, "cancel");
       } // end while
@@ -206,70 +210,6 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
     return true;
   }
 
-  private Map<PINSpec, STATUS> getPINStatuses() throws GetPINStatusException {
-    HashMap<PINSpec, STATUS> pinStatuses = new HashMap<PINSpec, STATUS>();
-    List<PINSpec> pins = card.getPINSpecs();
-
-    if (card instanceof STARCOSCard) {
-      Card icc = card.getCard();
-      try {
-        icc.beginExclusive();
-        CardChannel channel = icc.getBasicChannel();
-
-        for (PINSpec pinSpec : pins) {
-          byte kid = pinSpec.getKID();
-          byte[] contextAID = pinSpec.getContextAID();
-
-          if (contextAID != null) {
-            CommandAPDU selectAPDU = new CommandAPDU(0x00, 0xa4, 0x04, 0x0c, contextAID);
-            ResponseAPDU responseAPDU = channel.transmit(selectAPDU);
-            if (responseAPDU.getSW() != 0x9000) {
-              icc.endExclusive();
-              String msg = "Select AID " + SMCCHelper.toString(pinSpec.getContextAID()) +
-                  ": SW=" + Integer.toHexString(responseAPDU.getSW());
-              log.error(msg);
-              throw new GetPINStatusException(msg);
-            }
-          }
-
-          CommandAPDU verifyAPDU = new CommandAPDU(new byte[] {
-            (byte) 0x00, (byte) 0x20, (byte) 00, kid });
-          ResponseAPDU responseAPDU = channel.transmit(verifyAPDU);
-
-          STATUS status = STATUS.UNKNOWN;
-          if (responseAPDU.getSW() == 0x6984) {
-            status = STATUS.NOT_ACTIV;
-          } else if (responseAPDU.getSW() == 0x63c0) {
-            status = STATUS.BLOCKED;
-          } else if (responseAPDU.getSW1() == 0x63) {
-            status = STATUS.ACTIV;
-          }
-          if (log.isDebugEnabled()) {
-            log.debug("PIN " + pinSpec.getLocalizedName() +
-                    " status: " + SMCCHelper.toString(responseAPDU.getBytes()));
-          }
-          pinStatuses.put(pinSpec, status);
-        }
-        return pinStatuses;
-
-      } catch (CardException ex) {
-        log.error("Failed to get PIN status: " + ex.getMessage(), ex);
-        throw new GetPINStatusException(ex.getMessage());
-      } finally {
-        try {
-          icc.endExclusive();
-        } catch (CardException ex) {
-          log.trace("failed to end exclusive card access: " + ex.getMessage());
-        }
-      }
-    } else {
-      for (PINSpec pinSpec : pins) {
-        pinStatuses.put(pinSpec, STATUS.UNKNOWN);
-      }
-    }
-    return pinStatuses;
-  }
-
   /**
    * query status for STARCOS card,
    * assume provided status for ACOS card
@@ -277,154 +217,28 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
    * @param status
    * @throws at.gv.egiz.smcc.SignatureCardException if query status fails
    */
-  private void updatePINStatus(PINSpec pinSpec, STATUS status) throws GetPINStatusException {
-    if (card instanceof STARCOSCard) {
-      Card icc = card.getCard();
-      try {
-        icc.beginExclusive();
-        CardChannel channel = icc.getBasicChannel();
-
-          byte kid = pinSpec.getKID();
-          byte[] contextAID = pinSpec.getContextAID();
-
-          if (contextAID != null) {
-            CommandAPDU selectAPDU = new CommandAPDU(0x00, 0xa4, 0x04, 0x0c, contextAID);
-            ResponseAPDU responseAPDU = channel.transmit(selectAPDU);
-            if (responseAPDU.getSW() != 0x9000) {
-              icc.endExclusive();
-              String msg = "Select AID " + SMCCHelper.toString(pinSpec.getContextAID()) +
-                  ": SW=" + Integer.toHexString(responseAPDU.getSW());
-              log.error(msg);
-              throw new GetPINStatusException(msg);
-            }
-          }
-
-          CommandAPDU verifyAPDU = new CommandAPDU(new byte[] {
-            (byte) 0x00, (byte) 0x20, (byte) 00, kid });
-          ResponseAPDU responseAPDU = channel.transmit(verifyAPDU);
-
-          status = STATUS.UNKNOWN;
-          if (responseAPDU.getSW() == 0x6984) {
-            status = STATUS.NOT_ACTIV;
-          } else if (responseAPDU.getSW() == 0x63c0) {
-            status = STATUS.BLOCKED;
-          } else if (responseAPDU.getSW1() == 0x63) {
-            status = STATUS.ACTIV;
-          }
-          if (log.isDebugEnabled()) {
-            log.debug(pinSpec.getLocalizedName() +
-                    " status: " + SMCCHelper.toString(responseAPDU.getBytes()));
-          }
-          pinStatuses.put(pinSpec, status);
-
-      } catch (CardException ex) {
-        log.error("Failed to get PIN status: " + ex.getMessage(), ex);
-        throw new GetPINStatusException(ex.getMessage());
-      } finally {
-        try {
-          icc.endExclusive();
-        } catch (CardException ex) {
-          log.warn("failed to end exclusive card access: " + ex.getMessage());
-        }
-      }
+  private void updatePINState(PINSpec pinSpec, STATUS status)
+      throws GetPINStatusException {
+
+    PINMgmtSignatureCard pmCard = ((PINMgmtSignatureCard) card);
+    PIN_STATE pinState;
+    try {
+      pinState = pmCard.getPINState(pinSpec);
+    } catch (SignatureCardException e) {
+      String msg = "Failed to get PIN status for pin '"
+          + pinSpec.getLocalizedName() + "'.";
+      log.info(msg, e);
+      throw new GetPINStatusException(msg);
+    }
+    if (pinState == PIN_STATE.ACTIV) {
+      pinStates.put(pinSpec, STATUS.ACTIV);
+    } else if (pinState == PIN_STATE.NOT_ACTIV) {
+      pinStates.put(pinSpec, STATUS.NOT_ACTIV);
+    } else if (pinState == PIN_STATE.BLOCKED) {
+      pinStates.put(pinSpec, STATUS.BLOCKED);
     } else {
-      pinStatuses.put(pinSpec, status);
+      pinStates.put(pinSpec, status);
     }
   }
 
-//  /**
-//   * provides oldPin and newPin from one dialog,
-//   * and don't know whether providePIN() or provideOldPIN() is called first.
-//   */
-//  class SoftwarePinProvider implements PINProvider {
-//
-//    private PINManagementGUIFacade.DIALOG type;
-//    private boolean retry = false;
-//
-//    private char[] newPin;
-//    private char[] oldPin;
-//
-//    public SoftwarePinProvider(DIALOG type) {
-//      this.type = type;
-//    }
-//
-//    @Override
-//    public char[] providePIN(PINSpec spec, int retries)
-//            throws CancelledException, InterruptedException {
-//      if (newPin == null) {
-//        getPINs(spec, retries);
-//      }
-//      char[] pin = newPin;
-//      newPin = null;
-//      return pin;
-//    }
-//
-//    @Override
-//    public char[] provideOldPIN(PINSpec spec, int retries)
-//            throws CancelledException, InterruptedException {
-//      if (oldPin == null) {
-//        getPINs(spec, retries);
-//      }
-//      char[] pin = oldPin;
-//      oldPin = null;
-//      return pin;
-//    }
-//
-//    private void getPINs(PINSpec spec, int retries)
-//            throws InterruptedException, CancelledException {
-//      PINManagementGUIFacade gui =
-//              (PINManagementGUIFacade) PINManagementRequestHandler.this.gui;
-//
-//      if (retry) {
-//        gui.showPINDialog(type, spec, retries,
-//              PINManagementRequestHandler.this, "exec",
-//              PINManagementRequestHandler.this, "back");
-//      } else {
-//        gui.showPINDialog(type, spec,
-//              PINManagementRequestHandler.this, "exec",
-//              PINManagementRequestHandler.this, "back");
-//      }
-//      waitForAction();
-//
-//      if (actionCommand.equals("exec")) {
-//        gui.showWaitDialog(null);
-//        retry = true;
-//        oldPin = gui.getOldPin();
-//        newPin = gui.getPin();
-//      } else if (actionCommand.equals("back")) {
-//        throw new CancelledException();
-//      } else {
-//        log.error("unsupported command " + actionCommand);
-//        throw new CancelledException();
-//      }
-//    }
-//  }
-//
-//
-//  class PinpadPinProvider implements PINProvider {
-//
-//    private PINManagementGUIFacade.DIALOG type;
-//    private boolean retry = false;
-//
-//    public PinpadPinProvider(DIALOG type) {
-//      this.type = type;
-//    }
-//
-//    @Override
-//    public char[] providePIN(PINSpec spec, int retries) {
-//      log.debug("provide pin for " + type);
-//      if (retry) {
-//        ((PINManagementGUIFacade) gui).showPinpadPINDialog(type, spec, retries);
-//      } else {
-//        ((PINManagementGUIFacade) gui).showPinpadPINDialog(type, spec, -1);
-//        retry = true;
-//      }
-//      return null;
-//    }
-//
-//    @Override
-//    public char[] provideOldPIN(PINSpec spec, int retries) {
-//      return null;
-//    }
-//  }
 }
diff --git a/BKULocalApp/src/main/java/at/gv/egiz/bku/local/app/BKULauncher.java b/BKULocalApp/src/main/java/at/gv/egiz/bku/local/app/BKULauncher.java
index 09695808..213114d0 100644
--- a/BKULocalApp/src/main/java/at/gv/egiz/bku/local/app/BKULauncher.java
+++ b/BKULocalApp/src/main/java/at/gv/egiz/bku/local/app/BKULauncher.java
@@ -24,9 +24,6 @@ import org.apache.commons.cli.PosixParser;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import at.gv.egiz.bku.local.ui.BKUControllerInterface;
-import at.gv.egiz.bku.local.ui.TrayIconDialog;
-import at.gv.egiz.bku.utils.HexDump;
 import at.gv.egiz.bku.utils.StreamUtil;
 
 public class BKULauncher implements BKUControllerInterface {
diff --git a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.wsdl b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.wsdl
index 9ef43f39..dc7ad8f1 100644
--- a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.wsdl
+++ b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.wsdl
@@ -24,7 +24,7 @@
     xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/">
     <types>
         <xsd:schema targetNamespace="http://www.egiz.gv.at/wsdl/stal">
-            <xsd:import namespace="http://www.egiz.gv.at/stal" schemaLocation="stal-service.xsd"/>
+            <xsd:import namespace="http://www.egiz.gv.at/stal" schemaLocation="stal.xsd"/>
             <!--xsd:import namespace="http://www.egiz.gv.at/stal" schemaLocation="stal-extended.xsd"/-->
         </xsd:schema>
         <!-- test 
diff --git a/smcc/pom.xml b/smcc/pom.xml
index 6a9f52a3..ce414318 100644
--- a/smcc/pom.xml
+++ b/smcc/pom.xml
@@ -32,6 +32,11 @@
       <artifactId>junit</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>iaik</groupId>
+      <artifactId>iaik_jce_full_signed</artifactId>
+      <scope>test</scope>
+    </dependency>
     <!-- FIXME just for testing 
     <dependency>
       <groupId>iaik</groupId>
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOS04Card.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOS04Card.java
deleted file mode 100644
index 9fca6ab9..00000000
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOS04Card.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *     http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package at.gv.egiz.smcc;
-
-/**
- *
- * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
- */
-public class ACOS04Card extends ACOSCard {
-
-  public ACOS04Card() {
-    pinSpecs.remove(PINSPEC_INF);
-  }
-
-}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
index d064b821..9825978c 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
@@ -1,48 +1,47 @@
-//Copyright (C) 2002 IAIK
-//http://jce.iaik.at
-//
-//Copyright (C) 2003 Stiftung Secure Information and 
-//                 Communication Technologies SIC
-//http://www.sic.st
-//
-//All rights reserved.
-//
-//This source is provided for inspection purposes and recompilation only,
-//unless specified differently in a contract with IAIK. This source has to
-//be kept in strict confidence and must not be disclosed to any third party
-//under any circumstances. Redistribution in source and binary forms, with
-//or without modification, are <not> permitted in any case!
-//
-//THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-//ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-//IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-//ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-//FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-//DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-//OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-//HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-//LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-//OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-//SUCH DAMAGE.
-//
-//
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
 package at.gv.egiz.smcc;
 
-import at.gv.egiz.smcc.ccid.CCID;
-import at.gv.egiz.smcc.util.SMCCHelper;
-import java.nio.ByteBuffer;
-import java.nio.CharBuffer;
-import java.nio.charset.Charset;
-
+import java.io.IOException;
+import java.security.AlgorithmParameters;
+import java.security.GeneralSecurityException;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.DESedeKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+import javax.smartcardio.Card;
 import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
+import javax.smartcardio.CardTerminal;
 import javax.smartcardio.CommandAPDU;
 import javax.smartcardio.ResponseAPDU;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-public class ACOSCard extends AbstractSignatureCard {
+import at.gv.egiz.smcc.util.ISO7816Utils;
+import at.gv.egiz.smcc.util.SMCCHelper;
+import at.gv.egiz.smcc.util.TransparentFileInputStream;
+
+public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureCard {
 
   private static Log log = LogFactory.getLog(ACOSCard.class);
 
@@ -69,6 +68,8 @@ public class ACOSCard extends AbstractSignatureCard {
       (byte) 0x01 };
 
   public static final byte[] EF_INFOBOX = new byte[] { (byte) 0xc0, (byte) 0x02 };
+  
+  public static final byte[] EF_INFO = new byte[] { (byte) 0xd0, (byte) 0x02 };
 
   public static final int EF_INFOBOX_MAX_SIZE = 1500;
 
@@ -90,7 +91,7 @@ public class ACOSCard extends AbstractSignatureCard {
       (byte) 0x14 // ECDSA
   };
 
-  public static final byte[] DST_DEC = new byte[] { (byte) 0x84, (byte) 0x01, // tag
+  public static final byte[] AT_DEC = new byte[] { (byte) 0x84, (byte) 0x01, // tag
       // ,
       // length
       // (
@@ -102,123 +103,278 @@ public class ACOSCard extends AbstractSignatureCard {
       (byte) 0x01 // RSA // TODO: Not verified yet
   };
 
-  protected static final int PINSPEC_INF = 0;
-  protected static final int PINSPEC_DEC = 1;
-  protected static final int PINSPEC_SIG = 2;
+  private static final PINSpec DEC_PIN_SPEC = new PINSpec(0, 8, "[0-9]",
+      "at/gv/egiz/smcc/ACOSCard", "dec.pin.name", KID_PIN_DEC, AID_DEC);
+
+  private static final PINSpec SIG_PIN_SPEC = new PINSpec(0, 8, "[0-9]",
+      "at/gv/egiz/smcc/ACOSCard", "sig.pin.name", KID_PIN_SIG, AID_SIG);
+
+  private static final PINSpec INF_PIN_SPEC = new PINSpec(0, 8, "[0-9]",
+      "at/gv/egiz/smcc/ACOSCard", "inf.pin.name", KID_PIN_INF, AID_DEC);
+  
+  /**
+   * The version of the card's digital signature application.
+   */
+  protected int appVersion = -1;
 
   public ACOSCard() {
     super("at/gv/egiz/smcc/ACOSCard");
-    pinSpecs.add(PINSPEC_INF,
-            new PINSpec(0, 8, "[0-9]", getResourceBundle().getString("inf.pin.name"), KID_PIN_INF, AID_DEC));
-    pinSpecs.add(PINSPEC_DEC, 
-            new PINSpec(0, 8, "[0-9]", getResourceBundle().getString("dec.pin.name"), KID_PIN_DEC, AID_DEC));
-    pinSpecs.add(PINSPEC_SIG, 
-            new PINSpec(0, 8, "[0-9]", getResourceBundle().getString("sig.pin.name"), KID_PIN_SIG, AID_SIG));
   }
 
-  /* (non-Javadoc)
-   * @see at.gv.egiz.smcc.SignatureCard#getCertificate(at.gv.egiz.smcc.SignatureCard.KeyboxName)
-   */
   @Override
+  public void init(Card card, CardTerminal cardTerminal) {
+    super.init(card, cardTerminal);
+
+    // determine application version
+    try {
+      CardChannel channel = getCardChannel();
+      // SELECT application
+      execSELECT_AID(channel, AID_SIG);
+      // SELECT file
+      execSELECT_FID(channel, EF_INFO);
+      // READ BINARY
+      TransparentFileInputStream is = ISO7816Utils.openTransparentFileInputStream(channel, 8);
+      appVersion = is.read();
+      log.info("a-sign premium application version = " + appVersion);
+    } catch (FileNotFoundException e) {
+      appVersion = 1;
+      log.info("a-sign premium application version = " + appVersion);
+    } catch (SignatureCardException e) {
+      log.warn(e);
+      appVersion = 0;
+    } catch (IOException e) {
+      log.warn(e);
+      appVersion = 0;
+    } catch (CardException e) {
+      log.warn(e);
+      appVersion = 0;
+    } 
+    
+    pinSpecs.add(DEC_PIN_SPEC);
+    pinSpecs.add(SIG_PIN_SPEC);
+    if (appVersion < 2) {
+      pinSpecs.add(INF_PIN_SPEC);
+    }
+
+  }
+
+  @Override
+  @Exclusive
   public byte[] getCertificate(KeyboxName keyboxName)
       throws SignatureCardException, InterruptedException {
-  
-    try {
-      
+    
+      byte[] aid;
+      byte[] fid;
       if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
-        
-        try {
-          getCard().beginExclusive();
-          byte[] certificate = readTLVFile(AID_SIG, EF_C_CH_DS, EF_C_CH_DS_MAX_SIZE);
-          if (certificate == null) {
-            throw new NotActivatedException();
-          }
-          return certificate;
-        } catch (FileNotFoundException e) {
-          throw new NotActivatedException();
-        } finally {
-          getCard().endExclusive();
-        }
-        
+        aid = AID_SIG;
+        fid = EF_C_CH_DS;
       } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
-        
-        try {
-          getCard().beginExclusive();
-          byte[] certificate = readTLVFile(AID_DEC, EF_C_CH_EKEY, EF_C_CH_EKEY_MAX_SIZE);
-          if (certificate == null) {
-            throw new NotActivatedException();
-          }
-          return certificate;
-        } catch (FileNotFoundException e) {
-          throw new NotActivatedException();
-        } finally {
-          getCard().endExclusive();
-        }
-        
+        aid = AID_DEC;
+        fid = EF_C_CH_EKEY;
       } else {
         throw new IllegalArgumentException("Keybox " + keyboxName
             + " not supported.");
       }
 
-    } catch (CardException e) {
-      log.warn(e);
-      throw new SignatureCardException("Failed to access card.", e);
-    }
-    
+      try {
+        CardChannel channel = getCardChannel();
+        // SELECT application
+        execSELECT_AID(channel, aid);
+        // SELECT file
+        byte[] fcx = execSELECT_FID(channel, fid);
+        int maxSize = -1;
+        if (getAppVersion() < 2) {
+          maxSize = ISO7816Utils.getLengthFromFCx(fcx);
+          log.debug("Size of selected file = " + maxSize);
+        }
+        // READ BINARY
+        byte[] certificate = ISO7816Utils.readTransparentFileTLV(channel, maxSize, (byte) 0x30);
+        if (certificate == null) {
+          throw new NotActivatedException();
+        }
+        return certificate;
+      } catch (FileNotFoundException e) {
+        throw new NotActivatedException();
+      } catch (CardException e) {
+        log.info("Failed to get certificate.", e);
+        throw new SignatureCardException(e);
+      } 
+
+      
   }
 
-  /* (non-Javadoc)
-   * @see at.gv.egiz.smcc.SignatureCard#getInfobox(java.lang.String, at.gv.egiz.smcc.PINProvider, java.lang.String)
-   */
   @Override
+  @Exclusive
   public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
       throws SignatureCardException, InterruptedException {
+    
+    if ("IdentityLink".equals(infobox)) {
+      if (getAppVersion() < 2) {
+        return getIdentityLinkV1(provider, domainId);
+      } else {
+        return getIdentityLinkV2(provider, domainId);
+      }
+    } else {
+      throw new IllegalArgumentException("Infobox '" + infobox
+          + "' not supported.");
+    }
+  
+  }
+
+  protected byte[] getIdentityLinkV1(PINProvider provider, String domainId) 
+      throws SignatureCardException, InterruptedException {
+    
+    try {
+      CardChannel channel = getCardChannel();
+      // SELECT application
+      execSELECT_AID(channel, AID_DEC);
+      // SELECT file
+      byte[] fcx = execSELECT_FID(channel, EF_INFOBOX);
+      int maxSize = ISO7816Utils.getLengthFromFCx(fcx);
+      log.debug("Size of selected file = " + maxSize);
+      // READ BINARY
+      while(true) {
+        try {
+          return ISO7816Utils.readTransparentFileTLV(channel, maxSize, (byte) 0x30);
+        } catch (SecurityStatusNotSatisfiedException e) {
+          verifyPINLoop(channel, INF_PIN_SPEC, provider);
+        }
+      }
+      
+    } catch (FileNotFoundException e) {
+      throw new NotActivatedException();
+    } catch (CardException e) {
+      log.info("Faild to get infobox.", e);
+      throw new SignatureCardException(e);
+    }
+    
+  }
   
+  protected byte[] getIdentityLinkV2(PINProvider provider, String domainId)
+      throws SignatureCardException, InterruptedException {
+    
     try {
-      if ("IdentityLink".equals(infobox)) {
- 
-        PINSpec spec = pinSpecs.get(PINSPEC_INF);
-        //new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("inf.pin.name"));
+      CardChannel channel = getCardChannel();
+      // SELECT application
+      execSELECT_AID(channel, AID_DEC);
+      // SELECT file
+      execSELECT_FID(channel, EF_INFOBOX);
+      
+      // READ BINARY
+      TransparentFileInputStream is = ISO7816Utils.openTransparentFileInputStream(channel, -1);
+      
+      int b = is.read();
+      if (b == 0x00) {
+        return null;
+      }
+      if (b != 0x41 || is.read() != 0x49 || is.read() != 0x4b) {
+        String msg = "Infobox structure invalid.";
+        log.info(msg);
+        throw new SignatureCardException(msg);
+      }
         
-        int retries = -1;
-        boolean pinRequired = false;
+      b = is.read();
+      if (b != 0x01) {
+        String msg = "Infobox structure v" + b + " not supported.";
+        log.info(msg);
+        throw new SignatureCardException(msg);
+      }
+      
+      while ((b = is.read()) != 0x01 && b != 00) {
+        is.read(); // modifiers
+        is.skip(is.read() + (is.read() << 8)); // length
+      }
+      
+      if (b != 0x01) {
+        return null; 
+      }
+      
+      int modifiers = is.read();
+      int length = is.read() + (is.read() << 8);
 
-        do {
-          try {
-            getCard().beginExclusive();
-            if (pinRequired) {
-              char[] pin = provider.providePIN(spec, retries);
-              return readTLVFile(AID_DEC, EF_INFOBOX, pin, spec.getKID(), EF_INFOBOX_MAX_SIZE);
-            } else {
-              return readTLVFile(AID_DEC, EF_INFOBOX, EF_INFOBOX_MAX_SIZE);
-            }
-          } catch (FileNotFoundException e) {
-            throw new NotActivatedException();
-          } catch (SecurityStatusNotSatisfiedException e) {
-            pinRequired = true;
-          } catch (VerificationFailedException e) {
-            pinRequired = true;
-            retries = e.getRetries();
-          } finally {
-            getCard().endExclusive();
-          }
-        } while (retries != 0);
+      byte[] bytes;
+      byte[] key = null;
+      
+      switch (modifiers) {
+      case 0x00:
+        bytes = new byte[length];
+        break;
+      case 0x01:
+        key = new byte[is.read() + (is.read() << 8)];
+        is.read(key);
+        bytes = new byte[length - key.length - 2];
+        break;
+      default:
+        String msg = "Compressed infobox structure not yet supported.";
+        log.info(msg);
+        throw new SignatureCardException(msg);
+      }
+      
+      is.read(bytes);
+      
+      if (key == null) {
+        return bytes;
+      }
 
-        throw new LockedException();
+      execMSE(channel, 0x41, 0xb8, new byte[] {
+          (byte) 0x84, (byte) 0x01, (byte) 0x88, (byte) 0x80, (byte) 0x01,
+          (byte) 0x02 });
 
-      } else {
-        throw new IllegalArgumentException("Infobox '" + infobox
-            + "' not supported.");
-      }
 
+      byte[] plainKey = null;
+
+      while (true) {
+        try {
+          plainKey = execPSO_DECIPHER(channel, key);
+          break;
+        } catch(SecurityStatusNotSatisfiedException e) {
+          verifyPINLoop(channel, DEC_PIN_SPEC, provider);
+        }
+      }
+      
+      try {
+        Cipher cipher = Cipher
+            .getInstance("DESede/CBC/PKCS5Padding");
+        byte[] iv = new byte[8];
+        Arrays.fill(iv, (byte) 0x00);
+        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
+        AlgorithmParameters parameters = AlgorithmParameters
+            .getInstance("DESede");
+        parameters.init(ivParameterSpec);
+
+        DESedeKeySpec keySpec = new DESedeKeySpec(plainKey);
+        SecretKeyFactory keyFactory = SecretKeyFactory
+            .getInstance("DESede");
+        SecretKey secretKey = keyFactory.generateSecret(keySpec);
+
+        cipher.init(Cipher.DECRYPT_MODE, secretKey, parameters);
+
+        return cipher.doFinal(bytes);
+
+      } catch (GeneralSecurityException e) {
+        String msg = "Failed to decrypt infobox.";
+        log.info(msg, e);
+        throw new SignatureCardException(msg, e);
+      }
+      
+      
+    } catch (FileNotFoundException e) {
+      throw new NotActivatedException();
     } catch (CardException e) {
-      log.warn(e);
-      throw new SignatureCardException("Failed to access card.", e);
+      log.info("Faild to get infobox.", e);
+      throw new SignatureCardException(e);
+    } catch (IOException e) {
+      if (e.getCause() instanceof SignatureCardException) {
+        throw (SignatureCardException) e.getCause();
+      } else {
+        throw new SignatureCardException(e);
+      }
     }
-  
+    
   }
-
+  
   @Override
+  @Exclusive
   public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
       PINProvider provider) throws SignatureCardException, InterruptedException {
   
@@ -228,87 +384,40 @@ public class ACOSCard extends AbstractSignatureCard {
   
     try {
       
-      if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
-
-        PINSpec spec = pinSpecs.get(PINSPEC_SIG);
-        //new PINSpec(6, 10, "[0-9]", getResourceBundle().getString("sig.pin.name"));
-        
-        int retries = -1;
-        char[] pin = null;
-
-        do {
-          pin = provider.providePIN(spec, retries);
-          try {
-            getCard().beginExclusive();
-            
-            // SELECT DF
-            selectFileFID(DF_SIG);
-            // VERIFY
-            retries = verifyPIN(KID_PIN_SIG, pin);
-            if (retries != -1) {
-              throw new VerificationFailedException(retries);
-            }
-            // MSE: SET DST
-            mseSetDST(0x81, 0xb6, DST_SIG);
-            // PSO: HASH
-            psoHash(hash);
-            // PSO: COMPUTE DIGITAL SIGNATURE
-            return psoComputDigitalSiganture();
+      CardChannel channel = getCardChannel();
 
-          } catch (SecurityStatusNotSatisfiedException e) {
-            retries = verifyPIN(KID_PIN_SIG);
-          } catch (VerificationFailedException e) {
-            retries = e.getRetries();
-          } finally {
-            getCard().endExclusive();
-          }
-        } while (retries != 0);
+      if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
 
-        throw new LockedException();
+        PINSpec spec = SIG_PIN_SPEC;
         
+        // SELECT application
+        execSELECT_AID(channel, AID_SIG);
+        // MANAGE SECURITY ENVIRONMENT : SET DST
+        execMSE(channel, 0x41, 0xb6, DST_SIG);
+        // VERIFY
+        verifyPINLoop(channel, spec, provider);
+        // PERFORM SECURITY OPERATION : HASH
+        execPSO_HASH(channel, hash);
+        // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATRE
+        return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel);
     
       } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
         
-        PINSpec spec = pinSpecs.get(PINSPEC_DEC);
-        //new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("dec.pin.name"));
-
-        int retries = -1;
-        char[] pin = null;
-        boolean pinRequired = false;
+        PINSpec spec = DEC_PIN_SPEC;
 
-        do {
-          if (pinRequired) {
-            pin = provider.providePIN(spec, retries);
-          }
+        // SELECT application
+        execSELECT_AID(channel, AID_DEC);
+        // MANAGE SECURITY ENVIRONMENT : SET AT
+        execMSE(channel, 0x41, 0xa4, AT_DEC);
+        
+        while (true) {
           try {
-            getCard().beginExclusive();
-            
-            // SELECT DF
-            selectFileFID(DF_DEC);
-            // VERIFY
-            retries = verifyPIN(KID_PIN_DEC, pin);
-            if (retries != -1) {
-              throw new VerificationFailedException(retries);
-            }
-            // MSE: SET DST
-            mseSetDST(0x41, 0xa4, DST_DEC);
             // INTERNAL AUTHENTICATE
-            return internalAuthenticate(hash);
-            
-          } catch (FileNotFoundException e) {
-            throw new NotActivatedException();
+            return execINTERNAL_AUTHENTICATE(channel, hash);
           } catch (SecurityStatusNotSatisfiedException e) {
-            pinRequired = true;
-            retries = verifyPIN(KID_PIN_DEC);
-          } catch (VerificationFailedException e) {
-            pinRequired = true;
-            retries = e.getRetries();
-          } finally {
-            getCard().endExclusive();
+            verifyPINLoop(channel, spec, provider);
           }
-        } while (retries != 0);
-
-        throw new LockedException();
+        }
 
       } else {
         throw new IllegalArgumentException("KeyboxName '" + keyboxName
@@ -321,377 +430,311 @@ public class ACOSCard extends AbstractSignatureCard {
     } 
       
   }
+  
+  public int getAppVersion() {
+    return appVersion;
+  }
 
-  ////////////////////////////////////////////////////////////////////////
-  // PROTECTED METHODS (assume exclusive card access)
-  ////////////////////////////////////////////////////////////////////////
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.AbstractSignatureCard#verifyPIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.PINProvider)
+   */
+  @Override
+  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
+      throws LockedException, NotActivatedException, CancelledException,
+      TimeoutException, SignatureCardException, InterruptedException {
 
-  protected ResponseAPDU selectFileFID(byte[] fid) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
-    return transmit(channel, new CommandAPDU(0x00, 0xA4, 0x00,
-        0x00, fid, 256));
+    
+    try {
+      // SELECT application
+      execSELECT_AID(channel, pinSpec.getContextAID());
+      // VERIFY
+      verifyPIN(channel, pinSpec, pinProvider, -1);
+    } catch (CardException e) {
+      log.info("Failed to verify PIN.", e);
+      throw new SignatureCardException("Failed to verify PIN.", e);
+    }
+
   }
+  
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.AbstractSignatureCard#changePIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.ChangePINProvider)
+   */
+  @Override
+  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider)
+      throws LockedException, NotActivatedException, CancelledException,
+      TimeoutException, SignatureCardException, InterruptedException {
 
-  private void mseSetDST(int p1, int p2, byte[] dst) throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x22, p1,
-        p2, dst));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("MSE:SET DST failed: SW="
-          + Integer.toHexString(resp.getSW()));
+    
+    try {
+      // SELECT application
+      execSELECT_AID(channel, pinSpec.getContextAID());
+      // CHANGE REFERENCE DATA
+      changePIN(channel, pinSpec, pinProvider, -1);
+    } catch (CardException e) {
+      log.info("Failed to change PIN.", e);
+      throw new SignatureCardException("Failed to change PIN.", e);
     }
+
   }
 
-  private void psoHash(byte[] hash) throws CardException, SignatureCardException {
-    CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x2A, 0x90,
-        0x81, hash));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("PSO:HASH failed: SW="
-          + Integer.toHexString(resp.getSW()));
-    }
+  @Override
+  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider)
+      throws CancelledException, SignatureCardException, CancelledException,
+      TimeoutException, InterruptedException {
+    log.error("ACTIVATE PIN not supported by ACOS");
+    throw new SignatureCardException("PIN activation not supported by this card.");
   }
 
-  private byte[] psoComputDigitalSiganture() throws CardException,
-      SignatureCardException {
-    CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x2A, 0x9E,
-        0x9A, 256));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException(
-          "PSO: COMPUTE DIGITAL SIGNATRE failed: SW="
-              + Integer.toHexString(resp.getSW()));
-    } else {
-      return resp.getData();
-    }
+  @Override
+  public void unblockPIN(PINSpec pinSpec, PINProvider pinProvider)
+      throws CancelledException, SignatureCardException, InterruptedException {
+    throw new SignatureCardException("Unblock PIN not supported.");
   }
   
-  private byte[] internalAuthenticate(byte[] hash) throws CardException, SignatureCardException {
-    byte[] digestInfo = new byte[] {
-        (byte) 0x30, (byte) 0x21, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x05, (byte) 0x2B, (byte) 0x0E, 
-        (byte) 0x03, (byte) 0x02, (byte) 0x1A, (byte) 0x05, (byte) 0x00, (byte) 0x04
-    };
-    
-    byte[] data = new byte[digestInfo.length + hash.length + 1];
-    
-    System.arraycopy(digestInfo, 0, data, 0, digestInfo.length);
-    data[digestInfo.length] = (byte) hash.length;
-    System.arraycopy(hash, 0, data, digestInfo.length + 1, hash.length);
-    
-    CardChannel channel = getCardChannel();
-    
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x88, 0x10, 0x00, data, 256));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("INTERNAL AUTHENTICATE failed: SW=" + Integer.toHexString(resp.getSW()));
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.PINMgmtSignatureCard#getPINSpecs()
+   */
+  @Override
+  public List<PINSpec> getPINSpecs() {
+    if (getAppVersion() < 2) {
+      return Arrays.asList(new PINSpec[] {DEC_PIN_SPEC, SIG_PIN_SPEC, INF_PIN_SPEC});
     } else {
-      return resp.getData();
+      return Arrays.asList(new PINSpec[] {DEC_PIN_SPEC, SIG_PIN_SPEC});
     }
   }
 
-  /**
-   *
-   * @param kid
-   * @return -1
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.PINMgmtSignatureCard#getPINStatus(at.gv.egiz.smcc.PINSpec)
    */
   @Override
-  protected int verifyPIN(byte kid) {
-    log.debug("VERIFY PIN without PIN BLOCK not supported by ACOS");
-    return -1;
+  public PIN_STATE getPINState(PINSpec pinSpec) throws SignatureCardException {
+    return PIN_STATE.UNKNOWN;
   }
 
   @Override
-  protected int verifyPIN(byte kid, char[] pin)
-          throws LockedException, NotActivatedException, CancelledException, TimeoutException, PINFormatException, PINOperationAbortedException, SignatureCardException {
-    try {
-      byte[] sw;
-      if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
-        log.debug("verify pin on cardreader");
-        sw = reader.verifyPinDirect(getPINVerifyStructure(kid));
-//        int sw = (resp[resp.length-2] & 0xff) << 8 | resp[resp.length-1] & 0xff;
-      } else if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_START)) {
-        log.debug("verify pin on cardreader");
-        sw = reader.verifyPin(getPINVerifyStructure(kid));
-      } else {
-        byte[] pinBlock = encodePINBlock(pin);
-        CardChannel channel = getCardChannel();
-        ResponseAPDU resp = transmit(channel,
-                new CommandAPDU(0x00, 0x20, 0x00, kid, pinBlock), false);
-        sw = new byte[2];
-        sw[0] = (byte) resp.getSW1();
-        sw[1] = (byte) resp.getSW2();
-      }
+  public String toString() {
+    return "a-sign premium";
+  }
 
-      //6A 00 (falshe P1/P2) nicht in contextAID
-      //69 85 (nutzungsbedingungen nicht erfüllt) in DF_Sig und nicht sigpin
-
-      if (sw[0] == (byte) 0x90 && sw[1] == (byte) 0x00) {
-        return -1;
-      } else if (sw[0] == (byte) 0x63 && sw[1] == (byte) 0xc0) {
-        throw new LockedException("[63:c0]");
-      } else if (sw[0] == (byte) 0x63 && (sw[1] & 0xf0) >> 4 == 0xc) {
-        return sw[1] & 0x0f;
-      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x83) {
-        //Authentisierungsmethode gesperrt
-        throw new NotActivatedException("[69:83]");
-//      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x84) {
-//        //referenzierte Daten sind reversibel gesperrt (invalidated)
-//        throw new NotActivatedException("[69:84]");
-//      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x85) {
-//        //Benutzungsbedingungen nicht erfüllt
-//        throw new NotActivatedException("[69:85]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x00) {
-        throw new TimeoutException("[64:00]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x01) {
-        throw new CancelledException("[64:01]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x03) {
-        throw new PINFormatException("[64:03]");
-      }
-      log.error("Failed to verify pin: SW="
-              + SMCCHelper.toString(sw));
-      throw new SignatureCardException(SMCCHelper.toString(sw));
+  ////////////////////////////////////////////////////////////////////////
+  // PROTECTED METHODS (assume exclusive card access)
+  ////////////////////////////////////////////////////////////////////////
 
-    } catch (CardException ex) {
-      log.error("smart card communication failed: " + ex.getMessage());
-      throw new SignatureCardException("smart card communication failed: " + ex.getMessage(), ex);
-    }
+  protected void verifyPINLoop(CardChannel channel, PINSpec spec, PINProvider provider)
+      throws InterruptedException, LockedException, NotActivatedException,
+      TimeoutException, PINFormatException, PINOperationAbortedException,
+      SignatureCardException, CardException {
+    
+    int retries = -1;
+    do {
+      retries = verifyPIN(channel, spec, provider, retries);
+    } while (retries > 0);
+    
   }
 
-  /**
-   * SCARD_E_NOT_TRANSACTED inf/dec PIN not active (pcsc crash)
-   * @param kid
-   * @param oldPin
-   * @param newPin
-   * @return
-   * @throws at.gv.egiz.smcc.LockedException
-   * @throws at.gv.egiz.smcc.NotActivatedException
-   * @throws at.gv.egiz.smcc.SignatureCardException
-   */
-  @Override
-  protected int changePIN(byte kid, char[] oldPin, char[] newPin)
-          throws LockedException, NotActivatedException, CancelledException, PINFormatException, PINConfirmationException, TimeoutException, PINOperationAbortedException, SignatureCardException {
-    try {
-       byte[] sw;
-      if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_DIRECT)) {
-        log.debug("modify pin on cardreader");
-        sw = reader.modifyPinDirect(getPINModifyStructure(kid));
-      } else if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_START)) {
-        log.debug("modify pin on cardreader");
-        sw = reader.modifyPin(getPINModifyStructure(kid));
-      } else {
-        byte[] cmd = new byte[16];
-        System.arraycopy(encodePINBlock(oldPin), 0, cmd, 0, 8);
-        System.arraycopy(encodePINBlock(newPin), 0, cmd, 8, 8);
-
-        CardChannel channel = getCardChannel();
+  protected int verifyPIN(CardChannel channel, PINSpec pinSpec,
+      PINProvider provider, int retries) throws InterruptedException, CardException, SignatureCardException {
+    
+    VerifyAPDUSpec apduSpec = new VerifyAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x20, (byte) 0x00, pinSpec.getKID(), (byte) 0x08,
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 }, 
+        0, VerifyAPDUSpec.PIN_FORMAT_ASCII, 8);
+    
+    ResponseAPDU resp = reader.verify(channel, apduSpec, pinSpec, provider, retries);
+    
+    if (resp.getSW() == 0x9000) {
+      return -1;
+    }
+    if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    }
 
-        ResponseAPDU resp = transmit(channel,
-                new CommandAPDU(0x00, 0x24, 0x00, kid, cmd), false);
+    switch (resp.getSW()) {
+    case 0x6983:
+      // authentication method blocked
+      throw new LockedException();
+  
+    default:
+      String msg = "VERIFY failed. SW=" + Integer.toHexString(resp.getSW()); 
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    }
 
-        sw = new byte[2];
-        sw[0] = (byte) resp.getSW1();
-        sw[1] = (byte) resp.getSW2();
-      }
+  }
 
-      // activates pin (newPIN) if not active
-      if (sw[0] == (byte) 0x90 && sw[1] == (byte) 0x00) {
-        return -1;
-      } else if (sw[0] == (byte) 0x63 && sw[1] == (byte) 0xc0) {
-        throw new LockedException("[63:c0]");
-      } else if (sw[0] == (byte) 0x63 && (sw[1] & 0xf0) >> 4 == 0xc) {
-        return sw[1] & 0x0f;
-      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x83) {
-        //Authentisierungsmethode gesperrt
-        // sig-pin only (card not transacted for inf/dec pin)
-        throw new NotActivatedException("[69:83]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x00) {
-        throw new TimeoutException("[64:00]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x01) {
-        throw new CancelledException("[64:01]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x02) {
-        throw new PINConfirmationException("[64:02]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x03) {
-        throw new PINFormatException("[64:03]");
-      } else if (sw[0] == (byte) 0x6a && sw[1] == (byte) 0x80) {
-        log.info("invalid parameter, assume wrong pin size");
-        throw new PINFormatException("[6a:80]");
-      }
-      log.error("Failed to change pin: SW="
-              + SMCCHelper.toString(sw));
-      throw new SignatureCardException(SMCCHelper.toString(sw));
+  protected int changePIN(CardChannel channel, PINSpec pinSpec,
+      ChangePINProvider pinProvider, int retries) throws CancelledException, InterruptedException, CardException, SignatureCardException {
+
+    ChangeReferenceDataAPDUSpec apduSpec = new ChangeReferenceDataAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x24, (byte) 0x00, pinSpec.getKID(), (byte) 0x10,  
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00        
+        }, 
+        0, VerifyAPDUSpec.PIN_FORMAT_ASCII, 8);
+    
+    
+    
+    ResponseAPDU resp = reader.modify(channel, apduSpec, pinSpec, pinProvider, retries);
+    
+    if (resp.getSW() == 0x9000) {
+      return -1;
+    }
+    if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    }
+    
+    switch (resp.getSW()) {
+    case 0x6983:
+      // authentication method blocked
+      throw new LockedException();
+  
+    default:
+      String msg = "CHANGE REFERENCE DATA failed. SW=" + Integer.toHexString(resp.getSW()); 
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    }
+    
+  }
 
-    } catch (CardException ex) {
-      log.error("smart card communication failed: " + ex.getMessage());
-      throw new SignatureCardException("smart card communication failed: " + ex.getMessage(), ex);
+  protected byte[] execSELECT_AID(CardChannel channel, byte[] aid)
+      throws SignatureCardException, CardException {
+
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0xA4, 0x04, 0x00, aid, 256));
+
+    if (resp.getSW() == 0x6A82) {
+      String msg = "File or application not found AID="
+          + SMCCHelper.toString(aid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.info(msg);
+      throw new FileNotFoundException(msg);
+    } else if (resp.getSW() != 0x9000) {
+      String msg = "Failed to select application AID="
+          + SMCCHelper.toString(aid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    } else {
+      return resp.getBytes();
     }
+
   }
+  
+  protected byte[] execSELECT_FID(CardChannel channel, byte[] fid)
+      throws SignatureCardException, CardException {
+    
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0xA4, 0x00, 0x00, fid, 256));
+    
+    if (resp.getSW() == 0x6A82) {
+      String msg = "File or application not found FID="
+          + SMCCHelper.toString(fid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.info(msg);
+      throw new FileNotFoundException(msg);
+    } else if (resp.getSW() != 0x9000) {
+      String msg = "Failed to select application FID="
+          + SMCCHelper.toString(fid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.error(msg);
+      throw new SignatureCardException(msg);
+    } else {
+      return resp.getBytes();
+    }
 
-  /**
-   * throws SignatureCardException (PIN activation not supported by ACOS)
-   * @throws at.gv.egiz.smcc.SignatureCardException
-   */
-  @Override
-  public void activatePIN(byte kid, char[] pin)
-          throws SignatureCardException {
-    log.error("ACTIVATE PIN not supported by ACOS");
-    throw new SignatureCardException("PIN activation not supported by this card");
+    
   }
+  
+  protected void execMSE(CardChannel channel, int p1,
+      int p2, byte[] data) throws SignatureCardException, CardException {
 
-  /**
-   * ASCII encoded pin, padded with 0x00
-   * @param pin
-   * @return a 8 byte pin block
-   */
-  @Override
-  protected byte[] encodePINBlock(char[] pin) {
-//    byte[] asciiPIN = new String(pin).getBytes(Charset.forName("ASCII"));
-    CharBuffer chars = CharBuffer.wrap(pin);
-    ByteBuffer bytes = Charset.forName("ASCII").encode(chars);
-    byte[] asciiPIN = bytes.array();
-    byte[] encodedPIN = new byte[8];
-    System.arraycopy(asciiPIN, 0, encodedPIN, 0, Math.min(asciiPIN.length,
-        encodedPIN.length));
-//    System.out.println("ASCII encoded PIN block: " + SMCCHelper.toString(encodedPIN));
-    return encodedPIN;
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0x22, p1, p2, data));
+
+    if (resp.getSW() != 0x9000) {
+      String msg = "MSE failed: SW="
+          + Integer.toHexString(resp.getSW());
+      log.error(msg);
+      throw new SignatureCardException(msg);
+    } 
+    
   }
   
-  private byte[] getPINVerifyStructure(byte kid) {
-      
-      byte bTimeOut = reader.getbTimeOut();   
-      byte bTimeOut2 = reader.getbTimeOut2(); 
-      byte bmFormatString = (byte) 0x82;      // 1 0000 0 10
-                                              // ^------------ System unit = byte
-                                              //   ^^^^------- PIN position in the frame = 1 byte
-                                              //        ^----- PIN justification left
-                                              //          ^^-- ASCII format
-      byte bmPINBlockString = (byte) 0x08;    // 0000 1000
-                                              // ^^^^--------- PIN length size: 0 bits
-                                              //      ^^^^---- Length PIN = 8 bytes
-      byte bmPINLengthFormat = (byte) 0x00;   // 000 0 0000
-                                              //     ^-------- System bit units is bit
-                                              //       ^^^^--- no PIN length
-      byte wPINMaxExtraDigitL = //TODO compare ints, not bytes
-              (reader.getwPINMaxExtraDigitL() < (byte) 0x08) ?
-                reader.getwPINMaxExtraDigitL() : (byte) 0x08;
-      byte wPINMaxExtraDigitH =               
-              (reader.getwPINMaxExtraDigitH() > (byte) 0x00) ?
-                reader.getwPINMaxExtraDigitH() : (byte) 0x00;
-      byte bEntryValidationCondition = 
-              reader.getbEntryValidationCondition();
-      byte bNumberMessage = (byte) 0x00;      // No message
-      byte wLangIdL = (byte) 0x0C;            
-      byte wLangIdH = (byte) 0x04;            
-      byte bMsgIndex = (byte) 0x00;           
-
-      byte[] apdu = new byte[] {
-        (byte) 0x00, (byte) 0x20, (byte) 0x00, kid, (byte) 0x08, 
-        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,      
-        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00       
-      };
-
-      int offset = 0;
-      byte[] pinVerifyStructure = new byte[offset + 19 + apdu.length];
-      pinVerifyStructure[offset++] = bTimeOut;
-      pinVerifyStructure[offset++] = bTimeOut2;
-      pinVerifyStructure[offset++] = bmFormatString;
-      pinVerifyStructure[offset++] = bmPINBlockString;
-      pinVerifyStructure[offset++] = bmPINLengthFormat;
-      pinVerifyStructure[offset++] = wPINMaxExtraDigitL;
-      pinVerifyStructure[offset++] = wPINMaxExtraDigitH;
-      pinVerifyStructure[offset++] = bEntryValidationCondition;
-      pinVerifyStructure[offset++] = bNumberMessage;
-      pinVerifyStructure[offset++] = wLangIdL;
-      pinVerifyStructure[offset++] = wLangIdH;
-      pinVerifyStructure[offset++] = bMsgIndex;
-
-      pinVerifyStructure[offset++] = 0x00;
-      pinVerifyStructure[offset++] = 0x00;
-      pinVerifyStructure[offset++] = 0x00;
-
-      pinVerifyStructure[offset++] = (byte) apdu.length;
-      pinVerifyStructure[offset++] = 0x00;
-      pinVerifyStructure[offset++] = 0x00;
-      pinVerifyStructure[offset++] = 0x00;
-      System.arraycopy(apdu, 0, pinVerifyStructure, offset, apdu.length);
-
-      return pinVerifyStructure;
+  protected byte[] execPSO_DECIPHER(CardChannel channel, byte [] cipher) throws CardException, SignatureCardException {
+    
+    byte[] data = new byte[cipher.length + 1];
+    data[0] = 0x00;
+    System.arraycopy(cipher, 0, data, 1, cipher.length);
+    ResponseAPDU resp = channel.transmit(new CommandAPDU(0x00, 0x2A, 0x80, 0x86, data, 256));
+    if (resp.getSW() == 0x6982) {
+      throw new SecurityStatusNotSatisfiedException();
+    } else if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException(
+          "PSO - DECIPHER failed: SW="
+          + Integer.toHexString(resp.getSW()));
+    }
+    
+    return resp.getData();
+    
   }
   
-  public byte[] getPINModifyStructure(byte kid) {
-
-      byte bTimeOut = reader.getbTimeOut();
-      byte bTimeOut2 = reader.getbTimeOut2();
-      byte bmFormatString = (byte) 0x82;      // 1 0000 0 10
-                                              // ^------------ System unit = byte
-                                              //   ^^^^------- PIN position in the frame = 1 byte
-                                              //        ^----- PIN justification left
-                                              //          ^^-- ASCII format
-      byte bmPINBlockString = (byte) 0x08;    // 0000 1000
-                                              // ^^^^--------- PIN length size: 0 bits
-                                              //      ^^^^---- Length PIN = 8 bytes
-      byte bmPINLengthFormat = (byte) 0x00;   // 000 0 0000
-                                              //     ^-------- System bit units is bit
-                                              //       ^^^^--- no PIN length 
-      byte bInsertionOffsetOld = (byte) 0x00; // insertion position offset in bytes
-      byte bInsertionOffsetNew = (byte) 0x08; 
-      byte wPINMaxExtraDigitL =
-              (reader.getwPINMaxExtraDigitL() < (byte) 0x08) ?
-                reader.getwPINMaxExtraDigitL() : (byte) 0x08;
-      byte wPINMaxExtraDigitH =
-              (reader.getwPINMaxExtraDigitH() > (byte) 0x00) ?
-                reader.getwPINMaxExtraDigitH() : (byte) 0x00;
-      byte bConfirmPIN = (byte) 0x03;
-      byte bEntryValidationCondition =
-              reader.getbEntryValidationCondition();
-      byte bNumberMessage = (byte) 0x03;      
-      byte wLangIdL = (byte) 0x0C;            
-      byte wLangIdH = (byte) 0x04;            
-      byte bMsgIndex1 = (byte) 0x00;           
-      byte bMsgIndex2 = (byte) 0x01;           
-      byte bMsgIndex3 = (byte) 0x02;           
-
-      byte[] apdu = new byte[] {
-        (byte) 0x00, (byte) 0x24, (byte) 0x00, kid, (byte) 0x10,  
-        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
-        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
-        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,       
-        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00        
-      };
-
-      int offset = 0;
-      byte[] pinModifyStructure = new byte[offset + 24 + apdu.length];
-      pinModifyStructure[offset++] = bTimeOut;
-      pinModifyStructure[offset++] = bTimeOut2;
-      pinModifyStructure[offset++] = bmFormatString;
-      pinModifyStructure[offset++] = bmPINBlockString;
-      pinModifyStructure[offset++] = bmPINLengthFormat;
-      pinModifyStructure[offset++] = bInsertionOffsetOld;
-      pinModifyStructure[offset++] = bInsertionOffsetNew;
-      pinModifyStructure[offset++] = wPINMaxExtraDigitL;
-      pinModifyStructure[offset++] = wPINMaxExtraDigitH;
-      pinModifyStructure[offset++] = bConfirmPIN;
-      pinModifyStructure[offset++] = bEntryValidationCondition;
-      pinModifyStructure[offset++] = bNumberMessage;
-      pinModifyStructure[offset++] = wLangIdL;
-      pinModifyStructure[offset++] = wLangIdH;
-      pinModifyStructure[offset++] = bMsgIndex1;
-      pinModifyStructure[offset++] = bMsgIndex2;
-      pinModifyStructure[offset++] = bMsgIndex3;
-
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-
-      pinModifyStructure[offset++] = (byte) apdu.length;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      System.arraycopy(apdu, 0, pinModifyStructure, offset, apdu.length);
-
-      return pinModifyStructure;
+  protected void execPSO_HASH(CardChannel channel, byte[] hash) throws CardException, SignatureCardException {
+    
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0x2A, 0x90, 0x81, hash));
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("PSO - HASH failed: SW="
+          + Integer.toHexString(resp.getSW()));
+    }
+    
   }
+  
+  protected byte[] execPSO_COMPUTE_DIGITAL_SIGNATURE(CardChannel channel) throws CardException,
+      SignatureCardException {
 
-  @Override
-  public String toString() {
-    return "a-sign premium";
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0x2A, 0x9E, 0x9A, 256));
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException(
+          "PSO - COMPUTE DIGITAL SIGNATRE failed: SW="
+              + Integer.toHexString(resp.getSW()));
+    } else {
+      return resp.getData();
+    }
+
+  }
+  
+  protected byte[] execINTERNAL_AUTHENTICATE(CardChannel channel, byte[] hash) throws CardException,
+      SignatureCardException {
+
+    byte[] digestInfo = new byte[] { (byte) 0x30, (byte) 0x21, (byte) 0x30,
+        (byte) 0x09, (byte) 0x06, (byte) 0x05, (byte) 0x2B, (byte) 0x0E,
+        (byte) 0x03, (byte) 0x02, (byte) 0x1A, (byte) 0x05, (byte) 0x00,
+        (byte) 0x04 };
+    
+    byte[] data = new byte[digestInfo.length + hash.length + 1];
+    
+    System.arraycopy(digestInfo, 0, data, 0, digestInfo.length);
+    data[digestInfo.length] = (byte) hash.length;
+    System.arraycopy(hash, 0, data, digestInfo.length + 1, hash.length);
+    
+    ResponseAPDU resp = channel.transmit(new CommandAPDU(0x00, 0x88, 0x10, 0x00, data, 256));
+    if (resp.getSW() == 0x6982) {
+      throw new SecurityStatusNotSatisfiedException();
+    } else if (resp.getSW() == 0x6983) {
+      throw new LockedException();
+    } else if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("INTERNAL AUTHENTICATE failed: SW="
+          + Integer.toHexString(resp.getSW()));
+    } else {
+      return resp.getData();
+    }
   }
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
index f0f8b8c8..54b4c7fe 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
@@ -1,55 +1,37 @@
-//Copyright (C) 2002 IAIK
-//http://jce.iaik.at
-//
-//Copyright (C) 2003 Stiftung Secure Information and 
-//                 Communication Technologies SIC
-//http://www.sic.st
-//
-//All rights reserved.
-//
-//This source is provided for inspection purposes and recompilation only,
-//unless specified differently in a contract with IAIK. This source has to
-//be kept in strict confidence and must not be disclosed to any third party
-//under any circumstances. Redistribution in source and binary forms, with
-//or without modification, are <not> permitted in any case!
-//
-//THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-//ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-//IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-//ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-//FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-//DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-//OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-//HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-//LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-//OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-//SUCH DAMAGE.
-//
-//
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
 package at.gv.egiz.smcc;
 
-import at.gv.egiz.smcc.ccid.CCID;
-import at.gv.egiz.smcc.ccid.ReaderFactory;
-import at.gv.egiz.smcc.util.SMCCHelper;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.nio.ByteBuffer;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
 import java.util.ResourceBundle;
 
-import javax.smartcardio.ATR;
 import javax.smartcardio.Card;
 import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
 import javax.smartcardio.CardTerminal;
-import javax.smartcardio.CommandAPDU;
-import javax.smartcardio.ResponseAPDU;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import at.gv.egiz.smcc.ccid.CCID;
+import at.gv.egiz.smcc.ccid.ReaderFactory;
+
 public abstract class AbstractSignatureCard implements SignatureCard {
 
   private static Log log = LogFactory.getLog(AbstractSignatureCard.class);
@@ -61,14 +43,8 @@ public abstract class AbstractSignatureCard implements SignatureCard {
 
   private Locale locale = Locale.getDefault();
 
-  int ifs_ = 254;
-
   private Card card_;
   
-  /**
-   * The card terminal that connects the {@link #card_}.  
-   */
-//  private CardTerminal cardTerminal;
   protected CCID reader;
 
   protected AbstractSignatureCard(String resourceBundleName) {
@@ -89,379 +65,10 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     return sb.toString();
   }
 
-  /**
-   * Select an application using AID as DF name according to ISO/IEC 7816-4
-   * section 8.2.2.2.
-   * 
-   * @param dfName
-   *          AID of the application to be selected
-   * 
-   * @return the response data of the response APDU if SW=0x9000
-   * 
-   * @throws CardException
-   *           if card communication fails
-   * 
-   * @throws SignatureCardException
-   *           if application selection fails (e.g. an application with the
-   *           given AID is not present on the card)
-   */
-  protected byte[] selectFileAID(byte[] dfName) throws CardException, SignatureCardException {
-    CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel,
-            new CommandAPDU(0x00, 0xA4, 0x04, 0x00, dfName, 256));
-//            new CommandAPDU(0x00, 0xa4, 0x04, 0x0c, dfName));
-    if (resp.getSW() != 0x9000) {
-      String msg = "Failed to select application AID=" + SMCCHelper.toString(dfName) +
-              ": SW=" + Integer.toHexString(resp.getSW());
-      log.error(msg);
-      throw new SignatureCardException(msg);
-    } else {
-      return resp.getBytes();
-    }
-  }
-
-  protected abstract ResponseAPDU selectFileFID(byte[] fid) throws CardException,
-      SignatureCardException;
-
-  /**
-   * VERIFY APDU without PIN BLOCK
-   * Not supported by ACOS cards (and GemPC Pinpad?)
-   * @param kid
-   * @return the number of possible tries until card is blocked or -1 if unknown
-   * (ACOS does not support this VERIFY APDU type)
-   * @throws at.gv.egiz.smcc.LockedException
-   * @throws at.gv.egiz.smcc.NotActivatedException
-   * @throws at.gv.egiz.smcc.SignatureCardException
-   */
-  protected abstract int verifyPIN(byte kid)
-          throws LockedException, NotActivatedException, SignatureCardException;
-
-  /**
-   * VERIFY APDU with PIN BLOCK
-   * If IFD supports VERIFY_PIN on pinpad, parameter pin may be empty.
-   * @param kid
-   * @param pin to be encoded in the PIN BLOCK
-   * @return -1 if VERIFY PIN was successful, or the number of possible retries
-   * @throws at.gv.egiz.smcc.LockedException
-   * @throws at.gv.egiz.smcc.NotActivatedException
-   * @throws at.gv.egiz.smcc.SignatureCardException
-   */
-  protected abstract int verifyPIN(byte kid, char[] pin)
-          throws LockedException, NotActivatedException, CancelledException, PINFormatException, TimeoutException, PINOperationAbortedException, SignatureCardException;
-  
-  /**
-   * CHANGE(?) APDU
-   * If IFD supports VERIFY_PIN on pinpad, parameter pin may be empty.
-   * @param kid
-   * @param pin
-   * @throws at.gv.egiz.smcc.SignatureCardException if activation fails
-   */
-  protected abstract void activatePIN(byte kid, char[] pin)
-          throws CancelledException, PINFormatException, PINConfirmationException, TimeoutException, PINOperationAbortedException, SignatureCardException;
-
-  /**
-   * CHANGE(?) APDU
-   * If IFD supports VERIFY_PIN on pinpad, parameter pin may be empty.
-   * @param kid
-   * @param pin
-   * @return -1 if CHANGE PIN was successful, or the number of possible retries
-   * @throws at.gv.egiz.smcc.SignatureCardException if change fails
-   */
-  protected abstract int changePIN(byte kid, char[] oldPin, char[] newPin)
-          throws LockedException, NotActivatedException, CancelledException, PINFormatException, PINConfirmationException, TimeoutException, PINOperationAbortedException, SignatureCardException;
-
-  /**
-   * encode the pin as needed in VERIFY/CHANGE APDUs
-   * @param pin
-   * @return
-   * @throws at.gv.egiz.smcc.SignatureCardException if the provided pin does
-   * not meet the restrictions imposed by the encoding (not the pinSpec!),
-   * such as maximum Length
-   */
-  protected abstract byte[] encodePINBlock(char[] pin) throws SignatureCardException;
-
-  protected byte[] readRecord(int recordNumber) throws SignatureCardException, CardException {
-    return readRecord(getCardChannel(), recordNumber);
-  }
-
-  protected byte[] readRecord(CardChannel channel, int recordNumber) throws SignatureCardException, CardException {
-    
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xB2,
-        recordNumber, 0x04, 256));
-    if (resp.getSW() == 0x9000) {
-      return resp.getData();
-    } else {
-      throw new SignatureCardException("Failed to read records. SW=" + Integer.toHexString(resp.getSW()));
-    }
-     
-  }
-  
-  protected byte[] readBinary(CardChannel channel, int offset, int len)
-      throws CardException, SignatureCardException {
-
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xB0,
-        0x7F & (offset >> 8), offset & 0xFF, len));
-    if (resp.getSW() == 0x9000) {
-      return resp.getData();
-    } else if (resp.getSW() == 0x6982) {
-      throw new SecurityStatusNotSatisfiedException();
-    } else {
-      throw new SignatureCardException("Failed to read bytes (" + offset + "+"
-          + len + "): SW=" + Integer.toHexString(resp.getSW()));
-    }
-
-  }
-
-  protected int readBinary(int offset, int len, byte[] b) throws CardException,
-      SignatureCardException {
-
-    if (b.length < len) {
-      throw new IllegalArgumentException(
-          "Length of b must not be less than len.");
-    }
-
-    CardChannel channel = getCardChannel();
-
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xB0,
-        0x7F & (offset >> 8), offset & 0xFF, len));
-    if (resp.getSW() == 0x9000) {
-      System.arraycopy(resp.getData(), 0, b, 0, len);
-    }
-
-    return resp.getSW();
-
-  }
-
-  protected byte[] readBinaryTLV(int maxSize, byte expectedType) throws CardException,
-      SignatureCardException {
-
-    CardChannel channel = getCardChannel();
-
-    // read first chunk
-    int len = Math.min(maxSize, ifs_);
-    byte[] chunk = readBinary(channel, 0, len);
-    if (chunk.length > 0 && chunk[0] != expectedType) {
-      return null;
-    }
-    int offset = chunk.length;
-    int actualSize = maxSize;
-    if (chunk.length > 3) {
-      if ((chunk[1] & 0x80) > 0) {
-        int octets = (0x0F & chunk[1]);
-        actualSize = 2 + octets;
-        for (int i = 1; i <= octets; i++) {
-          actualSize += (0xFF & chunk[i + 1]) << ((octets - i) * 8);
-        }
-      } else {
-        actualSize = 2 + chunk[1];
-      }
-    }
-    ByteBuffer buffer = ByteBuffer.allocate(actualSize);
-    buffer.put(chunk, 0, Math.min(actualSize, chunk.length));
-    while (offset < actualSize) {
-      len = Math.min(ifs_, actualSize - offset);
-      chunk = readBinary(channel, offset, len);
-      buffer.put(chunk);
-      offset += chunk.length;
-    }
-    return buffer.array();
-
-  }
-
-  protected byte[] readRecords(byte[] aid, byte[] ef, int start, int end) throws SignatureCardException, InterruptedException {
-    
-    try {
-      
-      // SELECT FILE (AID)
-      byte[] rb = selectFileAID(aid);
-      if (rb[rb.length - 2] != (byte) 0x90 || rb[rb.length - 1] != (byte) 0x00) {
-
-        throw new SignatureCardException("SELECT FILE with "
-            + "AID="
-            + toString(aid)
-            + " failed ("
-            + "SW="
-            + Integer.toHexString((0xFF & (int) rb[rb.length - 1])
-                | (0xFF & (int) rb[rb.length - 2]) << 8) + ").");
-
-      }
-
-      // SELECT FILE (EF)
-      ResponseAPDU resp = selectFileFID(ef);
-      if (resp.getSW() == 0x6a82) {
-        
-        // EF not found
-        throw new FileNotFoundException("EF " + toString(ef) + " not found.");
-        
-      } else if (resp.getSW() != 0x9000) {
-
-        throw new SignatureCardException("SELECT FILE with "
-            + "FID="
-            + toString(ef)
-            + " failed ("
-            + "SW="
-            + Integer.toHexString(resp.getSW()) + ").");
-        
-      }
-      
-      ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-      
-      for (int i = start; i <= end; i++) {
-        bytes.write(readRecord(i));
-      }
-      
-      return bytes.toByteArray();
-      
-    } catch (CardException e) {
-      throw new SignatureCardException("Failed to acces card.", e);
-    } catch (IOException e) {
-      throw new SignatureCardException("Failed to read records.", e);
-    }
-    
-  }
-  
-  /**
-   * Read the content of a TLV file.
-   * 
-   * @param aid the application ID (AID)
-   * @param ef the elementary file (EF)
-   * @param maxLength the maximum length of the file
-   * 
-   * @return the content of the file
-   * 
-   * @throws SignatureCardException
-   * @throws CardException 
-   */
-  protected byte[] readTLVFile(byte[] aid, byte[] ef, int maxLength)
-      throws SignatureCardException, InterruptedException, CardException {
-    // SELECT FILE (AID)
-    selectFileAID(aid);
-
-    // SELECT FILE (EF)
-    ResponseAPDU resp = selectFileFID(ef);
-    if (resp.getSW() == 0x6a82) {
-      // EF not found
-      throw new FileNotFoundException("EF " + toString(ef) + " not found.");
-    } else if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("SELECT FILE with "
-          + "FID="
-          + toString(ef)
-          + " failed ("
-          + "SW="
-          + Integer.toHexString(resp.getSW()) + ").");
-    }
-
-    return readBinaryTLV(maxLength, (byte) 0x30);
-//    return readTLVFile(aid, ef, null, (byte) 0, maxLength);
-  }
-
-  /**
-   * Read the content of a TLV file wich requires a PIN.
-   * 
-   * @param aid the application ID (AID)
-   * @param ef the elementary file (EF)
-   * @param kid the key ID (KID) of the corresponding PIN
-   * @param pin the pin or null if VERIFY on pinpad
-   * @param spec the PINSpec
-   * @param maxLength the maximum length of the file
-   * 
-   * @return the content of the file
-   * 
-   * @throws SignatureCardException
-   * @throws CardException 
-   */
-  protected byte[] readTLVFile(byte[] aid, byte[] ef, char[] pin, byte kid, int maxLength)
-      throws SignatureCardException, InterruptedException, CardException {
-
-
-    // SELECT FILE (AID)
-    selectFileAID(aid);
-
-    // SELECT FILE (EF)
-    ResponseAPDU resp = selectFileFID(ef);
-    if (resp.getSW() == 0x6a82) {
-      // EF not found
-      throw new FileNotFoundException("EF " + toString(ef) + " not found.");
-    } else if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("SELECT FILE with "
-          + "FID="
-          + toString(ef)
-          + " failed ("
-          + "SW="
-          + Integer.toHexString(resp.getSW()) + ").");
-    }
-
-    // VERIFY
-      int retries = verifyPIN(kid, pin);
-      if (retries != -1) {
-        throw new VerificationFailedException(retries);
-      }
-   
-    return readBinaryTLV(maxLength, (byte) 0x30);
-      
-    
-  }
-  
-  /**
-   * Transmit the given command APDU using the given card channel.
-   * 
-   * @param channel
-   *          the card channel
-   * @param commandAPDU
-   *          the command APDU
-   * @param logData
-   *          <code>true</code> if command APDU data may be logged, or
-   *          <code>false</code> otherwise
-   * 
-   * @return the corresponding response APDU
-   * 
-   * @throws CardException
-   *           if smart card communication fails
-   */
-  protected ResponseAPDU transmit(CardChannel channel, CommandAPDU commandAPDU, boolean logData)
-      throws CardException {
-    
-    if (log.isTraceEnabled()) {
-      log.trace(commandAPDU 
-          + (logData ? "\n" + toString(commandAPDU.getBytes()) : ""));
-      long t0 = System.currentTimeMillis();
-      ResponseAPDU responseAPDU = channel.transmit(commandAPDU);
-      long t1 = System.currentTimeMillis();
-      log.trace(responseAPDU + "\n[" + (t1 - t0) + "ms] "
-          + (logData ? "\n" + toString(responseAPDU.getBytes()) : ""));
-      return responseAPDU;
-    } else {
-      return channel.transmit(commandAPDU);
-    }
-    
-  }
-
-  /**
-   * Transmit the given command APDU using the given card channel.
-   * 
-   * @param channel the card channel
-   * @param commandAPDU the command APDU
-   * 
-   * @return the corresponding response APDU
-   * 
-   * @throws CardException if smart card communication fails
-   */
-  protected ResponseAPDU transmit(CardChannel channel, CommandAPDU commandAPDU)
-      throws CardException {
-    return transmit(channel, commandAPDU, true);
-  }
-
-  
   @Override
   public void init(Card card, CardTerminal cardTerminal) {
     this.card_ = card;
     this.reader = ReaderFactory.getInstance().getReader(card, cardTerminal);
-    ATR atr = card.getATR();
-    byte[] atrBytes = atr.getBytes();
-    if (atrBytes.length >= 6) {
-      ifs_ = 0xFF & atr.getBytes()[6];
-      log.trace("Setting IFS (information field size) to " + ifs_);
-    }
   }
   
   @Override
@@ -470,7 +77,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
   }
 
   protected CardChannel getCardChannel() {
-    return card_.getBasicChannel();
+    return new LogCardChannel(card_.getBasicChannel());
   }
 
   @Override
@@ -517,112 +124,4 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     }
   }
 
-  @Override
-  public List<PINSpec> getPINSpecs() {
-    return pinSpecs;
-  }
-
-  @Override
-  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
-          throws LockedException, NotActivatedException, CancelledException, TimeoutException, SignatureCardException, InterruptedException {
-    try {
-      getCard().beginExclusive();
-
-      if (pinSpec.getContextAID() != null) {
-        selectFileAID(pinSpec.getContextAID());
-      }
-
-      // -1 if ok or unknown
-      int retries = verifyPIN(pinSpec.getKID());
-      do {
-        char[] pin = pinProvider.providePIN(pinSpec, retries);
-        retries = verifyPIN(pinSpec.getKID(), pin);
-      } while (retries > 0);
-      //return on -1, 0 never reached: verifyPIN throws LockedEx
-
-    } catch (CardException ex) {
-      log.error("failed to verify " + pinSpec.getLocalizedName() +
-              ": " + ex.getMessage(), ex);
-      throw new SignatureCardException(ex);
-    } finally {
-      try {
-        getCard().endExclusive();
-      } catch (CardException ex) {
-        log.trace("failed to end exclusive card access: " + ex.getMessage());
-      }
-    }
-  }
-
-  @Override
-  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider)
-          throws CancelledException, SignatureCardException, CancelledException, TimeoutException, InterruptedException {
-   try {
-      getCard().beginExclusive();
-
-      if (pinSpec.getContextAID() != null) {
-        selectFileAID(pinSpec.getContextAID());
-      }
-      char[] pin = pinProvider.providePIN(pinSpec, -1);
-      activatePIN(pinSpec.getKID(), pin);
-      
-    } catch (CardException ex) {
-      log.error("Failed to activate " + pinSpec.getLocalizedName() +
-              ": " + ex.getMessage());
-      throw new SignatureCardException(ex.getMessage(), ex);
-    } finally {
-      try {
-        getCard().endExclusive();
-      } catch (CardException ex) {
-        log.trace("failed to end exclusive card access: " + ex.getMessage());
-      }
-    }
-  }
-
-  /**
-   * activates pin (newPIN) if not active
-   * @param pinSpec
-   * @param oldPIN
-   * @param newPIN
-   * @throws at.gv.egiz.smcc.LockedException
-   * @throws at.gv.egiz.smcc.VerificationFailedException
-   * @throws at.gv.egiz.smcc.NotActivatedException
-   * @throws at.gv.egiz.smcc.SignatureCardException
-   */
-  @Override
-  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider)
-          throws LockedException, NotActivatedException, CancelledException,
-          TimeoutException, SignatureCardException, InterruptedException {
-    try {
-      getCard().beginExclusive();
-
-      if (pinSpec.getContextAID() != null) {
-        selectFileAID(pinSpec.getContextAID());
-      }
-
-      int retries = verifyPIN(pinSpec.getKID());
-      do {
-        char[] newPin = pinProvider.providePIN(pinSpec, retries);
-        char[] oldPin = pinProvider.provideOldPIN(pinSpec, retries);
-        retries = changePIN(pinSpec.getKID(), oldPin, newPin);
-      } while (retries > 0);
-      //return on -1, 0 never reached: verifyPIN throws LockedEx
-
-    } catch (CardException ex) {
-      log.error("Failed to change " + pinSpec.getLocalizedName() +
-              ": " + ex.getMessage());
-      throw new SignatureCardException(ex.getMessage(), ex);
-    } finally {
-      try {
-        getCard().endExclusive();
-      } catch (CardException ex) {
-        log.trace("failed to end exclusive card access: " + ex.getMessage());
-      }
-    }
-  }
-
-  @Override
-  public void unblockPIN(PINSpec pinSpec, PINProvider pinProvider)
-          throws CancelledException, SignatureCardException, InterruptedException {
-    throw new SignatureCardException("Unblock not supported yet");
-  }
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/CardNotSupportedException.java b/smcc/src/main/java/at/gv/egiz/smcc/CardNotSupportedException.java
index e2a5fe16..1cde093d 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/CardNotSupportedException.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/CardNotSupportedException.java
@@ -1,31 +1,19 @@
-//Copyright (C) 2002 IAIK
-//http://jce.iaik.at
-//
-//Copyright (C) 2003 Stiftung Secure Information and 
-//                 Communication Technologies SIC
-//http://www.sic.st
-//
-//All rights reserved.
-//
-//This source is provided for inspection purposes and recompilation only,
-//unless specified differently in a contract with IAIK. This source has to
-//be kept in strict confidence and must not be disclosed to any third party
-//under any circumstances. Redistribution in source and binary forms, with
-//or without modification, are <not> permitted in any case!
-//
-//THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-//ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-//IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-//ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-//FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-//DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-//OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-//HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-//LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-//OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-//SUCH DAMAGE.
-//
-//
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
 package at.gv.egiz.smcc;
 
 public class CardNotSupportedException extends Exception {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ChangePINProvider.java b/smcc/src/main/java/at/gv/egiz/smcc/ChangePINProvider.java
index d0622aa4..41010551 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ChangePINProvider.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ChangePINProvider.java
@@ -1,24 +1,21 @@
 /*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *     http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
 package at.gv.egiz.smcc;
 
-import at.gv.egiz.smcc.*;
-
 /**
  *
  * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ChangeReferenceDataAPDUSpec.java b/smcc/src/main/java/at/gv/egiz/smcc/ChangeReferenceDataAPDUSpec.java
new file mode 100644
index 00000000..0b10d88f
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ChangeReferenceDataAPDUSpec.java
@@ -0,0 +1,95 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class ChangeReferenceDataAPDUSpec extends VerifyAPDUSpec {
+  
+  /**
+   * The offset for the insertion of the old PIN. (Default: 0)
+   */
+  protected int pinInsertionOffsetOld = 0;
+  
+  /**
+   * The offset for the insertion of the new PIN. (Default:
+   * {@link VerifyAPDUSpec#pinLength} + 1})
+   */
+  protected int pinInsertionOffsetNew = pinLength;
+
+  public ChangeReferenceDataAPDUSpec(byte[] apdu, int pinPosition, int pinFormat, int pinLength) {
+    super(apdu, pinPosition, pinFormat, pinLength);
+  }
+
+  /**
+   * @param apdu
+   * @param pinPosition
+   * @param pinFormat
+   * @param pinLength
+   * @param pinLengthSize
+   * @param pinLengthPos
+   */
+  public ChangeReferenceDataAPDUSpec(byte[] apdu, int pinPosition,
+      int pinFormat, int pinLength, int pinLengthSize, int pinLengthPos) {
+    super(apdu, pinPosition, pinFormat, pinLength, pinLengthSize, pinLengthPos);
+  }
+  
+  /**
+   * @param apdu
+   * @param pinPosition
+   * @param pinFormat
+   * @param pinLength
+   * @param pinLengthSize
+   * @param pinLengthPos
+   * @param pinInsertionOffsetNew
+   */
+  public ChangeReferenceDataAPDUSpec(byte[] apdu, int pinPosition,
+      int pinFormat, int pinLength, int pinLengthSize, int pinLengthPos,
+      int pinInsertionOffsetNew) {
+    super(apdu, pinPosition, pinFormat, pinLength, pinLengthSize, pinLengthPos);
+    this.pinInsertionOffsetNew = pinInsertionOffsetNew;
+  }
+
+  /**
+   * @return the pinInsertionOffsetOld
+   */
+  public int getPinInsertionOffsetOld() {
+    return pinInsertionOffsetOld;
+  }
+
+  /**
+   * @param pinInsertionOffsetOld the pinInsertionOffsetOld to set
+   */
+  public void setPinInsertionOffsetOld(int pinInsertionOffsetOld) {
+    this.pinInsertionOffsetOld = pinInsertionOffsetOld;
+  }
+
+  /**
+   * @return the pinInsertionOffsetNew
+   */
+  public int getPinInsertionOffsetNew() {
+    return pinInsertionOffsetNew;
+  }
+
+  /**
+   * @param pinInsertionOffsetNew the pinInsertionOffsetNew to set
+   */
+  public void setPinInsertionOffsetNew(int pinInsertionOffsetNew) {
+    this.pinInsertionOffsetNew = pinInsertionOffsetNew;
+  }
+
+  
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ExclSignatureCardProxy.java b/smcc/src/main/java/at/gv/egiz/smcc/ExclSignatureCardProxy.java
new file mode 100644
index 00000000..bfbd0063
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ExclSignatureCardProxy.java
@@ -0,0 +1,110 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.ArrayList;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CardTerminal;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class ExclSignatureCardProxy implements InvocationHandler {
+  
+  private static Log log = LogFactory.getLog(ExclSignatureCardProxy.class);
+
+  private static final Method init;
+  
+  static {
+    try {
+      init = SignatureCard.class.getMethod("init", new Class<?>[] { Card.class,
+          CardTerminal.class });
+    } catch (SecurityException e) {
+      throw new RuntimeException(e);
+    } catch (NoSuchMethodException e) {
+      throw new RuntimeException(e);
+    }
+  }
+  
+  private SignatureCard signatureCard;
+  
+  public ExclSignatureCardProxy(SignatureCard signatureCard) {
+    this.signatureCard = signatureCard;
+  }
+
+  public static SignatureCard newInstance(SignatureCard signatureCard) {
+    ArrayList<Class<?>> proxyInterfaces = new ArrayList<Class<?>>();
+    proxyInterfaces.add(SignatureCard.class);
+    if (PINMgmtSignatureCard.class.isAssignableFrom(signatureCard.getClass())) {
+      proxyInterfaces.add(PINMgmtSignatureCard.class);
+    }
+    ClassLoader loader = signatureCard.getClass().getClassLoader();
+    return (SignatureCard) Proxy.newProxyInstance(loader, proxyInterfaces
+        .toArray(new Class[proxyInterfaces.size()]),
+        new ExclSignatureCardProxy(signatureCard));
+  }
+  
+  public static PINMgmtSignatureCard newInstance(PINMgmtSignatureCard signatureCard) {
+    return null;
+  }
+
+  @Override
+  public Object invoke(Object proxy, Method method, Object[] args)
+      throws Throwable {
+
+    Card card = null;
+    
+    Method target = signatureCard.getClass().getMethod(method.getName(),
+        method.getParameterTypes());
+    
+    if (target.isAnnotationPresent(Exclusive.class)) {
+      card = (Card) ((method.equals(init)) 
+        ? args[0]
+        : signatureCard.getCard());
+    }
+    
+    if (card != null) {
+      try {
+        log.trace("Invoking method " + method.getName() + "() with exclusive access.");
+        card.beginExclusive();
+      } catch (CardException e) {
+        log.info("Failed to get exclusive access to signature card "
+            + signatureCard.toString() + ".");
+        throw new SignatureCardException(e);
+      }
+    }
+      
+    try {
+      return method.invoke(signatureCard, args);
+    } catch (InvocationTargetException e) {
+      throw e.getTargetException();
+    } finally {
+      if (card != null) {
+        card.endExclusive();
+      }
+    }
+    
+  
+  }
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/Exclusive.java b/smcc/src/main/java/at/gv/egiz/smcc/Exclusive.java
new file mode 100644
index 00000000..b796b045
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/Exclusive.java
@@ -0,0 +1,28 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.METHOD)
+public @interface Exclusive {
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/LogCardChannel.java b/smcc/src/main/java/at/gv/egiz/smcc/LogCardChannel.java
new file mode 100644
index 00000000..3fc80fa1
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/LogCardChannel.java
@@ -0,0 +1,129 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.nio.ByteBuffer;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class LogCardChannel extends CardChannel {
+  
+  protected static Log log = LogFactory.getLog(LogCardChannel.class);
+  
+  private CardChannel channel;
+  
+  public LogCardChannel(CardChannel channel) {
+    if (channel == null) {
+      throw new NullPointerException();
+    }
+    this.channel = channel;
+  }
+
+  @Override
+  public void close() throws CardException {
+    channel.close();
+  }
+
+  @Override
+  public Card getCard() {
+    return channel.getCard();
+  }
+
+  @Override
+  public int getChannelNumber() {
+    return channel.getChannelNumber();
+  }
+
+  @Override
+  public ResponseAPDU transmit(CommandAPDU command) throws CardException {
+    if (log.isTraceEnabled()) {
+      switch (command.getINS()) {
+      case 0x20:    // VERIFY
+      case 0x21:    // VERIFY
+      case 0x24: {  // CHANGE REFERENCE DATA 
+        // Don't log possibly sensitive command data 
+        StringBuilder sb = new StringBuilder();
+        sb.append(command);
+        sb.append('\n');
+        byte[] c = new byte[4];
+        c[0] = (byte) command.getCLA();
+        c[1] = (byte) command.getINS();
+        c[2] = (byte) command.getP1();
+        c[3] = (byte) command.getP2();
+        sb.append(toString(c));
+        if (command.getNc() > 0) {
+          sb.append(':');
+          sb.append(toString(new byte[] {(byte) command.getNc()}));
+          for (int i = 0; i < command.getNc(); i++) {
+            sb.append(":XX");
+          }
+        }
+        if (command.getNe() > 0) {
+          sb.append(':');
+          sb.append(toString(new byte[] {(byte) command.getNe()}));
+        }
+        log.trace(sb.toString());
+      }; break;
+
+      default:
+        log.trace(command + "\n" + toString(command.getBytes()));
+      }
+      long t0 = System.currentTimeMillis();
+      ResponseAPDU response = channel.transmit(command);
+      long t1 = System.currentTimeMillis();
+      log.trace(response + " [" + (t1 - t0) + "ms]\n" + toString(response.getBytes()));
+      return response;
+    } else {
+      return channel.transmit(command);
+    }
+  }
+
+  @Override
+  public int transmit(ByteBuffer command, ByteBuffer response) throws CardException {
+    if (log.isTraceEnabled()) {
+      long t0 = System.currentTimeMillis();
+      int l = channel.transmit(command, response);
+      long t1 = System.currentTimeMillis();
+      log.trace("[" + (t1 - t0) + "ms]");
+      return l;
+    } else {
+      return channel.transmit(command, response);
+    }
+  }
+
+  private String toString(byte[] b) {
+    StringBuffer sb = new StringBuffer();
+    if (b != null && b.length > 0) {
+      sb.append(Integer.toHexString((b[0] & 240) >> 4));
+      sb.append(Integer.toHexString(b[0] & 15));
+    }
+    for (int i = 1; i < b.length; i++) {
+      sb.append(':');
+      sb.append(Integer.toHexString((b[i] & 240) >> 4));
+      sb.append(Integer.toHexString(b[i] & 15));
+    }
+    return sb.toString();
+  }
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/NewReferenceDataAPDUSpec.java b/smcc/src/main/java/at/gv/egiz/smcc/NewReferenceDataAPDUSpec.java
new file mode 100644
index 00000000..2eadaf26
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/NewReferenceDataAPDUSpec.java
@@ -0,0 +1,60 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class NewReferenceDataAPDUSpec extends VerifyAPDUSpec {
+  
+  /**
+   * The offset for the insertion of the new PIN. (Default:
+   * {@link VerifyAPDUSpec#pinLength} + 1})
+   */
+  protected int pinInsertionOffsetNew = 0;
+
+  public NewReferenceDataAPDUSpec(byte[] apdu, int pinPosition, int pinFormat, int pinLength) {
+    super(apdu, pinPosition, pinFormat, pinLength);
+  }
+
+  /**
+   * @param apdu
+   * @param pinPosition
+   * @param pinFormat
+   * @param pinLength
+   * @param pinLengthSize
+   * @param pinLengthPos
+   */
+  public NewReferenceDataAPDUSpec(byte[] apdu, int pinPosition,
+      int pinFormat, int pinLength, int pinLengthSize, int pinLengthPos) {
+    super(apdu, pinPosition, pinFormat, pinLength, pinLengthSize, pinLengthPos);
+  }
+
+  /**
+   * @return the pinInsertionOffsetNew
+   */
+  public int getPinInsertionOffsetNew() {
+    return pinInsertionOffsetNew;
+  }
+
+  /**
+   * @param pinInsertionOffsetNew the pinInsertionOffsetNew to set
+   */
+  public void setPinInsertionOffsetNew(int pinInsertionOffsetNew) {
+    this.pinInsertionOffsetNew = pinInsertionOffsetNew;
+  }
+
+  
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINConfirmationException.java b/smcc/src/main/java/at/gv/egiz/smcc/PINConfirmationException.java
index 115e6d5f..eaf38435 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINConfirmationException.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINConfirmationException.java
@@ -24,6 +24,8 @@ package at.gv.egiz.smcc;
  */
 public class PINConfirmationException extends SignatureCardException {
 
+  private static final long serialVersionUID = 1L;
+
   public PINConfirmationException() {
     super();
   }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINFormatException.java b/smcc/src/main/java/at/gv/egiz/smcc/PINFormatException.java
index 28a13fdb..774fcdf5 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINFormatException.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINFormatException.java
@@ -24,6 +24,8 @@ package at.gv.egiz.smcc;
  */
 public class PINFormatException extends SignatureCardException {
 
+  private static final long serialVersionUID = 1L;
+
   public PINFormatException() {
     super();
   }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINMgmtSignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/PINMgmtSignatureCard.java
new file mode 100644
index 00000000..53738612
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINMgmtSignatureCard.java
@@ -0,0 +1,41 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.util.List;
+
+public interface PINMgmtSignatureCard extends SignatureCard {
+
+  public enum PIN_STATE {UNKNOWN, ACTIV, NOT_ACTIV, BLOCKED};
+  
+  public List<PINSpec> getPINSpecs();
+
+  public PIN_STATE getPINState(PINSpec pinSpec) throws SignatureCardException;
+  
+  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
+  throws LockedException, NotActivatedException, CancelledException, SignatureCardException, InterruptedException;
+
+  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider)
+  throws LockedException, NotActivatedException, CancelledException, PINFormatException, SignatureCardException, InterruptedException;
+
+  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider)
+  throws CancelledException, SignatureCardException, InterruptedException;
+
+  public void unblockPIN(PINSpec pinSpec, PINProvider pukProvider)
+  throws CancelledException, SignatureCardException, InterruptedException;
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINOperationAbortedException.java b/smcc/src/main/java/at/gv/egiz/smcc/PINOperationAbortedException.java
index 7337f59e..51e4904e 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINOperationAbortedException.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINOperationAbortedException.java
@@ -24,6 +24,8 @@ package at.gv.egiz.smcc;
  */
 public class PINOperationAbortedException extends SignatureCardException {
 
+  private static final long serialVersionUID = 1L;
+
   public PINOperationAbortedException() {
     super();
   }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java b/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
index 8fa80dcb..5c294b5b 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
@@ -1,31 +1,19 @@
-//Copyright (C) 2002 IAIK
-//http://jce.iaik.at
-//
-//Copyright (C) 2003 Stiftung Secure Information and 
-//                 Communication Technologies SIC
-//http://www.sic.st
-//
-//All rights reserved.
-//
-//This source is provided for inspection purposes and recompilation only,
-//unless specified differently in a contract with IAIK. This source has to
-//be kept in strict confidence and must not be disclosed to any third party
-//under any circumstances. Redistribution in source and binary forms, with
-//or without modification, are <not> permitted in any case!
-//
-//THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-//ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-//IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-//ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-//FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-//DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-//OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-//HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-//LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-//OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-//SUCH DAMAGE.
-//
-//
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
 package at.gv.egiz.smcc;
 
 /**
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java b/smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java
index d180ddf0..b8ffafab 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java
@@ -14,9 +14,9 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-
 package at.gv.egiz.smcc;
 
+import java.util.Locale;
 import java.util.ResourceBundle;
 
 /**
@@ -31,7 +31,7 @@ public class PINSpec {
     
     String rexepPattern_;
     
-    ResourceBundle resourceBundle_;
+    String resourceBundleName_;
     
     String name_;
 
@@ -49,17 +49,17 @@ public class PINSpec {
      * @param kid the keyId for this pin
      */
     public PINSpec(int minLenght, int maxLength, String rexepPattern, 
-        ResourceBundle resourceBundle, String name, byte kid, byte[] contextAID) {
+        String resourceBundleName, String name, byte kid, byte[] contextAID) {
         
         minLength_ = minLenght;
         maxLength_ = maxLength;
         rexepPattern_ = rexepPattern;
-        resourceBundle_ = resourceBundle;
+        resourceBundleName_ = resourceBundleName;
         name_ = name;
         kid_ = kid;
         context_aid_ = contextAID;
     }
-    
+
     public PINSpec(int minLenght, int maxLength, String rexepPattern, 
         String name, byte kid, byte[] contextAID) {
         
@@ -71,14 +71,26 @@ public class PINSpec {
         context_aid_ = contextAID;
     }
     
-    
-    
     public String getLocalizedName() {
+      
+      if (resourceBundleName_ != null) {
+        ResourceBundle resourceBundle = ResourceBundle.getBundle(resourceBundleName_);
+        return resourceBundle.getString(name_);
+      } else {
+        return name_;
+      }
         
-        return (resourceBundle_ != null) 
-            ? resourceBundle_.getString(name_)
-            : name_;
-        
+    }
+    
+    public String getLocalizedName(Locale locale) {
+      
+      if (resourceBundleName_ != null) {
+        ResourceBundle resourceBundle = ResourceBundle.getBundle(resourceBundleName_, locale);
+        return resourceBundle.getString(name_);
+      } else {
+        return name_;
+      }
+      
     }
 
     public int getMaxLength() {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index e622f65a..83c0197a 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -1,36 +1,27 @@
-//Copyright (C) 2002 IAIK
-//http://jce.iaik.at
-//
-//Copyright (C) 2003 Stiftung Secure Information and 
-//                 Communication Technologies SIC
-//http://www.sic.st
-//
-//All rights reserved.
-//
-//This source is provided for inspection purposes and recompilation only,
-//unless specified differently in a contract with IAIK. This source has to
-//be kept in strict confidence and must not be disclosed to any third party
-//under any circumstances. Redistribution in source and binary forms, with
-//or without modification, are <not> permitted in any case!
-//
-//THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-//ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-//IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-//ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-//FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-//DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-//OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-//HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-//LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-//OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-//SUCH DAMAGE.
-//
-//
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
 package at.gv.egiz.smcc;
 
-import at.gv.egiz.smcc.ccid.CCID;
-import at.gv.egiz.smcc.util.SMCCHelper;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
 import java.util.Arrays;
+import java.util.List;
+
 import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
 import javax.smartcardio.CommandAPDU;
@@ -39,7 +30,10 @@ import javax.smartcardio.ResponseAPDU;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-public class STARCOSCard extends AbstractSignatureCard {
+import at.gv.egiz.smcc.util.ISO7816Utils;
+import at.gv.egiz.smcc.util.SMCCHelper;
+
+public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatureCard {
 
   /**
    * Logging facility.
@@ -154,133 +148,131 @@ public class STARCOSCard extends AbstractSignatureCard {
 
   public static final byte KID_PIN_CARD = (byte) 0x01;
 
-  public static final int PINSPEC_CARD = 0;
-  public static final int PINSPEC_SS = 1;
+  private static final PINSpec CARD_PIN_SPEC =
+    new PINSpec(4, 12, "[0-9]", 
+        "at/gv/egiz/smcc/STARCOSCard", "card.pin.name", KID_PIN_CARD, null);
+  
+  private static final PINSpec SS_PIN_SPEC =
+    new PINSpec(6, 12, "[0-9]", 
+        "at/gv/egiz/smcc/STARCOSCard", "sig.pin.name", KID_PIN_SS, AID_DF_SS);
 
   /**
    * Creates an new instance.
    */
   public STARCOSCard() {
     super("at/gv/egiz/smcc/STARCOSCard");
-    pinSpecs.add(PINSPEC_CARD, 
-            new PINSpec(4, 12, "[0-9]",
-              getResourceBundle().getString("card.pin.name"),
-              KID_PIN_CARD, null));
-    pinSpecs.add(PINSPEC_SS,
-            new PINSpec(6, 12, "[0-9]",
-              getResourceBundle().getString("sig.pin.name"),
-              KID_PIN_SS, AID_DF_SS));
+    pinSpecs.add(CARD_PIN_SPEC);
+    pinSpecs.add(SS_PIN_SPEC);
   }
  
   @Override
+  @Exclusive
   public byte[] getCertificate(KeyboxName keyboxName)
       throws SignatureCardException, InterruptedException {
 
-    try {
-      
-      if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
-        
-        try {
-          getCard().beginExclusive();
-          return readTLVFile(AID_DF_SS, EF_C_X509_CH_DS, 2000);
-        } catch (FileNotFoundException e) {
-          throw new NotActivatedException();
-        } finally {
-          getCard().endExclusive();
-        }
-        
-      } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
-
-        try {
-          getCard().beginExclusive();
-          return readTLVFile(AID_DF_GS, EF_C_X509_CH_AUT, 2000);
-        } catch (FileNotFoundException e) {
-          throw new NotActivatedException();
-        } finally {
-          getCard().endExclusive();
-        }
+    byte[] aid;
+    byte[] fid;
+    if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
+      aid = AID_DF_SS;
+      fid = EF_C_X509_CH_DS;
+    } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) {
+      aid = AID_DF_GS;
+      fid = EF_C_X509_CH_AUT;
+    } else {
+      throw new IllegalArgumentException("Keybox " + keyboxName
+          + " not supported.");
+    }
 
-      } else {
-        throw new IllegalArgumentException("Keybox " + keyboxName
-            + " not supported.");
+    try {
+      CardChannel channel = getCardChannel();
+      // SELECT application
+      execSELECT_AID(channel, aid);
+      // SELECT file
+      execSELECT_FID(channel, fid);
+      // READ BINARY
+      byte[] certificate = ISO7816Utils.readTransparentFileTLV(channel, -1, (byte) 0x30);
+      if (certificate == null) {
+        throw new NotActivatedException();
       }
-      
+      return certificate;
+    } catch (FileNotFoundException e) {
+      throw new NotActivatedException();
     } catch (CardException e) {
-      log.warn(e);
-      throw new SignatureCardException("Failed to access card.", e);
+      log.info("Failed to get certificate.", e);
+      throw new SignatureCardException(e);
     }
 
   }
   
   @Override
+  @Exclusive
   public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
       throws SignatureCardException, InterruptedException {
   
     try {
       if ("IdentityLink".equals(infobox)) {
 
-        PINSpec spec = pinSpecs.get(PINSPEC_CARD);
-        //new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
-
-        int retries = -1;
-        boolean pinRequired = false;
+        PINSpec spec = CARD_PIN_SPEC;
+        
+        CardChannel channel = getCardChannel();
+        // SELECT application
+        execSELECT_AID(channel, AID_INFOBOX);
+        // SELECT file
+        execSELECT_FID(channel, EF_INFOBOX);
 
-        do {
+        while (true) {
           try {
-            getCard().beginExclusive();
-            if (pinRequired) {
-              char[] pin = provider.providePIN(spec, retries);
-              return readTLVFile(AID_INFOBOX, EF_INFOBOX, pin, spec.getKID(), 2000);
-            } else {
-              return readTLVFile(AID_INFOBOX, EF_INFOBOX, 2000);
-            }
-          } catch (FileNotFoundException e) {
-            throw new NotActivatedException();
+            return ISO7816Utils.readTransparentFileTLV(channel, -1, (byte) 0x30);
           } catch (SecurityStatusNotSatisfiedException e) {
-            pinRequired = true;
-            retries = verifyPIN(KID_PIN_CARD);
-          } catch (VerificationFailedException e) {
-            pinRequired = true;
-            retries = e.getRetries();
-          } finally {
-            getCard().endExclusive();
+            verifyPINLoop(channel, spec, provider);
           }
-        } while (retries != 0);
-
-        throw new LockedException();
-        
-      } else if ("EHIC".equals(infobox)) {
-        try {
-          getCard().beginExclusive();
-          return readTLVFile(AID_SV_PERSONENDATEN, FID_EHIC, 126);
-        } finally {
-          getCard().endExclusive();
-        }
-      } else if ("Grunddaten".equals(infobox)) {
-        try {
-          getCard().beginExclusive();
-          return readTLVFile(AID_SV_PERSONENDATEN, FID_GRUNDDATEN, 550);
-        } finally {
-          getCard().endExclusive();
-        }
-      } else if ("SV-Personenbindung".equals(infobox)) {
-        try {
-          getCard().beginExclusive();
-          return readTLVFile(AID_SV_PERSONENDATEN, FID_SV_PERSONENBINDUNG, 500);
-        } finally {
-          getCard().endExclusive();
         }
+        
       } else if ("Status".equals(infobox)) {
+        
+        CardChannel channel = getCardChannel();
+        // SELECT application
+        execSELECT_AID(channel, AID_SV_PERSONENDATEN);
+        // SELECT file
+        execSELECT_FID(channel, FID_STATUS);
+        // READ RECORDS
+        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
         try {
-          getCard().beginExclusive();
-          return readRecords(AID_SV_PERSONENDATEN, FID_STATUS, 1, 5);
-        } finally {
-          getCard().endExclusive();
+          for (int record = 1; record <= 5; record++) {
+            byte[] rb = ISO7816Utils.readRecord(channel, record);
+            bytes.write(rb);
+          }
+        } catch (IOException e) {
+          throw new SignatureCardException("Failed to read infobox '" + infobox
+              + "'.", e);
         }
+        return bytes.toByteArray();
+        
       } else {
-        throw new IllegalArgumentException("Infobox '" + infobox
-            + "' not supported.");
+
+        byte[] fid;
+        
+        if ("EHIC".equals(infobox)) {
+          fid = FID_EHIC;
+        } else if ("Grunddaten".equals(infobox)) {
+          fid = FID_GRUNDDATEN;
+        } else if ("SV-Personenbindung".equals(infobox)) {
+          fid = FID_SV_PERSONENBINDUNG;
+        } else {
+          throw new IllegalArgumentException("Infobox '" + infobox
+              + "' not supported.");
+        }
+       
+        CardChannel channel = getCardChannel();
+        // SELECT application
+        execSELECT_AID(channel, AID_SV_PERSONENDATEN);
+        // SELECT file
+        execSELECT_FID(channel, fid);
+        // READ BINARY
+        return ISO7816Utils.readTransparentFileTLV(channel, -1, (byte) 0x30);
+        
       }
+        
     } catch (CardException e) {
       log.warn(e);
       throw new SignatureCardException("Failed to access card.", e);
@@ -288,6 +280,7 @@ public class STARCOSCard extends AbstractSignatureCard {
   }
 
   @Override
+  @Exclusive
   public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
       PINProvider provider) throws SignatureCardException, InterruptedException {
   
@@ -297,68 +290,44 @@ public class STARCOSCard extends AbstractSignatureCard {
   
     try {
       
+      CardChannel channel = getCardChannel();
+      
       if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
 
-        PINSpec spec = pinSpecs.get(PINSPEC_SS);
-        //new PINSpec(6, 10, "[0-9]", getResourceBundle().getString("sig.pin.name"));
+        PINSpec spec = SS_PIN_SPEC;
+        
+        // SELECT MF
+        execSELECT_MF(channel);
+        // SELECT application
+        execSELECT_AID(channel, AID_DF_SS);
+        // VERIFY
+        verifyPINLoop(channel, spec, provider);
+        // MANAGE SECURITY ENVIRONMENT : SET DST
+        execMSE(channel, 0x41, 0xb6, DST_SS);
+        // PERFORM SECURITY OPERATION : HASH
+        execPSO_HASH(channel, hash);
+        // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
+        return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel);
         
-        int retries = -1;
-        char[] pin = null;
-
-        do {
-          try {
-            getCard().beginExclusive();
-            selectFileAID(AID_DF_SS);
-            retries = verifyPIN(KID_PIN_SS); //, null);
-          } finally {
-            getCard().endExclusive();
-          }
-          pin = provider.providePIN(spec, retries);
-          try {
-            getCard().beginExclusive();
-            return createSignature(hash, AID_DF_SS, pin, KID_PIN_SS, DST_SS);
-          } catch (VerificationFailedException e) {
-            retries = e.getRetries();
-          } catch (PINFormatException e) {
-            log.debug("wrong pin size entered, retry");
-          } finally {
-            getCard().endExclusive();
-          }
-        } while (retries != 0);
-
-        throw new LockedException();
-
- 
       } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
 
-        PINSpec spec = pinSpecs.get(PINSPEC_CARD);
-        //new PINSpec(4, 4, "[0-9]", getResourceBundle().getString("card.pin.name"));
- 
-        int retries = -1;
-        char[] pin = null;
-        boolean pinRequiered = false;
-
-        do {
-          if (pinRequiered) {
-            pin = provider.providePIN(spec, retries);
-          }
+        PINSpec spec = CARD_PIN_SPEC;
+        
+        // SELECT application
+        execSELECT_AID(channel, AID_DF_GS);
+        // MANAGE SECURITY ENVIRONMENT : SET DST
+        execMSE(channel, 0x41, 0xb6, DST_GS);
+        // PERFORM SECURITY OPERATION : HASH
+        execPSO_HASH(channel, hash);
+        
+        while (true) {
           try {
-            getCard().beginExclusive();
-            return createSignature(hash, AID_DF_GS, pin, KID_PIN_CARD, DST_GS);
-          } catch (FileNotFoundException e) {
-            throw new NotActivatedException();
+            // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
+            return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel);
           } catch (SecurityStatusNotSatisfiedException e) {
-            pinRequiered = true;
-            retries = verifyPIN(KID_PIN_CARD);
-          } catch (VerificationFailedException e) {
-            pinRequiered = true;
-            retries = e.getRetries();
-          } finally {
-            getCard().endExclusive();
+            verifyPINLoop(channel, spec, provider);
           }
-        } while (retries != 0);
-
-        throw new LockedException();
+        }
         
       } else {
         throw new IllegalArgumentException("KeyboxName '" + keyboxName
@@ -372,529 +341,366 @@ public class STARCOSCard extends AbstractSignatureCard {
   
   }
 
-
-  ////////////////////////////////////////////////////////////////////////
-  // PROTECTED METHODS (assume exclusive card access)
-  ////////////////////////////////////////////////////////////////////////
-
-  protected ResponseAPDU selectFileFID(byte[] fid) throws CardException, SignatureCardException {
-    CardChannel channel = getCardChannel();
-    return transmit(channel, new CommandAPDU(0x00, 0xA4, 0x02,
-        0x04, fid, 256));
-  }
-
-  private byte[] createSignature(byte[] hash, byte[] aid, char[] pin, byte kid,
-      byte[] dst) throws CardException, SignatureCardException {
-    
-    // SELECT MF
-    selectMF();
-    // SELECT DF
-    selectFileAID(aid);
-    // VERIFY
-    int retries = verifyPIN(kid, pin);
-    if (retries != -1) {
-      throw new VerificationFailedException(retries);
-    }
-    // MSE: SET DST
-    mseSetDST(dst);
-    // PSO: HASH
-    psoHash(hash);
-    // PSO: COMPUTE DIGITAL SIGNATURE
-    return psoComputDigitalSiganture();
-
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.AbstractSignatureCard#verifyPIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.PINProvider)
+   */
+  @Override
+  @Exclusive
+  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
+      throws LockedException, NotActivatedException, CancelledException,
+      TimeoutException, SignatureCardException, InterruptedException {
     
-  }
-
-  private void selectMF() throws CardException, SignatureCardException {
     CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x00,
-        0x0C));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("Failed to select MF: SW="
-          + Integer.toHexString(resp.getSW()) + ".");
+    
+    try {
+      if (pinSpec.getContextAID() != null) {
+        // SELECT application
+        execSELECT_AID(channel, pinSpec.getContextAID());
+      }
+      int retries = verifyPIN(channel, pinSpec, null, 0);
+      verifyPIN(channel, pinSpec, pinProvider, retries);
+    } catch (CardException e) {
+      log.info("Failed to verify PIN.", e);
+      throw new SignatureCardException("Failed to verify PIN.", e);
     }
+    
   }
-
-  private void mseSetDST(byte[] dst) throws CardException, SignatureCardException {
+  
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.AbstractSignatureCard#changePIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.ChangePINProvider)
+   */
+  @Override
+  @Exclusive
+  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider)
+      throws LockedException, NotActivatedException, CancelledException,
+      TimeoutException, SignatureCardException, InterruptedException {
+    
     CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x22, 0x41,
-        0xB6, dst));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("MSE:SET DST failed: SW="
-          + Integer.toHexString(resp.getSW()));
+    
+    try {
+      if (pinSpec.getContextAID() != null) {
+        // SELECT application
+        execSELECT_AID(channel, pinSpec.getContextAID());
+      }
+      int retries = verifyPIN(channel, pinSpec, null, 0);
+      changePIN(channel, pinSpec, pinProvider, retries);
+    } catch (CardException e) {
+      log.info("Failed to change PIN.", e);
+      throw new SignatureCardException("Failed to change PIN.", e);
     }
+    
   }
 
-  private void psoHash(byte[] hash) throws CardException, SignatureCardException {
-    byte[] data = new byte[hash.length + 2];
-    data[0] = (byte) 0x90; // tag
-    data[1] = (byte) (hash.length); // length
-    System.arraycopy(hash, 0, data, 2, hash.length);
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.AbstractSignatureCard#activatePIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.PINProvider)
+   */
+  @Override
+  @Exclusive
+  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider)
+      throws CancelledException, SignatureCardException, CancelledException,
+      TimeoutException, InterruptedException {
 
     CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x2A, 0x90,
-        0xA0, data));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("PSO:HASH failed: SW="
-          + Integer.toHexString(resp.getSW()));
-    }
-  }
 
-  private byte[] psoComputDigitalSiganture() throws CardException,
-      SignatureCardException {
-    CardChannel channel = getCardChannel();
-    ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0x2A, 0x9E,
-        0x9A, 256));
-    if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException(
-          "PSO: COMPUTE DIGITAL SIGNATRE failed: SW="
-              + Integer.toHexString(resp.getSW()));
-    } else {
-      return resp.getData();
+    try {
+      if (pinSpec.getContextAID() != null) {
+        // SELECT application
+        execSELECT_AID(channel, pinSpec.getContextAID());
+      }
+      activatePIN(channel, pinSpec, pinProvider);
+    } catch (CardException e) {
+      log.info("Failed to activate PIN.", e);
+      throw new SignatureCardException("Failed to activate PIN.", e);
     }
+    
   }
 
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.PINMgmtSignatureCard#unblockPIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.PINProvider)
+   */
   @Override
-  protected int verifyPIN(byte kid, char[] pin)
-          throws LockedException, NotActivatedException, TimeoutException, CancelledException, PINFormatException, PINOperationAbortedException, SignatureCardException {
-    try {
-      byte[] sw;
-      if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
-        log.debug("verify pin on cardreader");
-        sw = reader.verifyPinDirect(getPINVerifyStructure(kid));
-//        int sw = (resp[resp.length-2] & 0xff) << 8 | resp[resp.length-1] & 0xff;
-      } else if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_START)) {
-        log.debug("verify pin on cardreader");
-        sw = reader.verifyPin(getPINVerifyStructure(kid));
-      } else {
-        byte[] pinBlock = encodePINBlock(pin);
-        CardChannel channel = getCardChannel();
-        ResponseAPDU resp = transmit(channel,
-                new CommandAPDU(0x00, 0x20, 0x00, kid, pinBlock), false);
-        sw = new byte[2];
-        sw[0] = (byte) resp.getSW1();
-        sw[1] = (byte) resp.getSW2();
-      }
-
-      if (sw[0] == (byte) 0x90 && sw[1] == (byte) 0x00) {
-        return -1;
-      } else if (sw[0] == (byte) 0x63 && sw[1] == (byte) 0xc0) {
-        throw new LockedException("[63:c0]");
-      } else if (sw[0] == (byte) 0x63 && (sw[1] & 0xf0) >> 4 == 0xc) {
-        return sw[1] & 0x0f;
-      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x83) {
-        //Authentisierungsmethode gesperrt
-        throw new LockedException("[69:83]");
-      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x84) {
-        //referenzierte Daten sind reversibel gesperrt (invalidated)
-        throw new NotActivatedException("[69:84]");
-      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x85) {
-        //Benutzungsbedingungen nicht erfüllt
-        throw new NotActivatedException("[69:85]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x00) {
-        throw new TimeoutException("[64:00]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x01) {
-        throw new CancelledException("[64:01]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x03) {
-        throw new PINFormatException("[64:03]");
-      }
-      log.error("Failed to verify pin: SW="
-              + SMCCHelper.toString(sw));
-      throw new SignatureCardException(SMCCHelper.toString(sw));
-      
-    } catch (CardException ex) {
-      log.error("smart card communication failed: " + ex.getMessage());
-      throw new SignatureCardException("smart card communication failed: " + ex.getMessage(), ex);
-    }
+  public void unblockPIN(PINSpec pinSpec, PINProvider pukProvider)
+      throws CancelledException, SignatureCardException, InterruptedException {
+    throw new SignatureCardException("Unblock PIN is not supported.");
   }
 
   @Override
-  protected int verifyPIN(byte kid)
-          throws LockedException, NotActivatedException, SignatureCardException {
+  public void reset() throws SignatureCardException {
     try {
+      super.reset();
+      log.debug("select MF (e-card workaround)");
       CardChannel channel = getCardChannel();
-      ResponseAPDU resp = transmit(channel,
-              new CommandAPDU(0x00, 0x20, 0x00, kid), false);
-
-      if (resp.getSW() == 0x9000) {
-        return -1;
-      } else if (resp.getSW() == 0x63c0) {
-        throw new LockedException("[63:c0]");
-      } else if (resp.getSW1() == 0x63 && (resp.getSW2() & 0xf0) >> 4 == 0xc) {
-        return resp.getSW2() & 0x0f;
-      } else if (resp.getSW() == 0x6983) {
-        //Authentisierungsmethode gesperrt
-        throw new LockedException("[69:83]");
-      } else if (resp.getSW() == 0x6984) {
-        //referenzierte Daten sind reversibel gesperrt (invalidated)
-        throw new NotActivatedException("[69:84]");
-      } else if (resp.getSW() == 0x6985) {
-        //Benutzungsbedingungen nicht erfüllt
-        throw new NotActivatedException("[69:85]");
+      ResponseAPDU resp = channel.transmit(new CommandAPDU(0x00, 0xA4, 0x00, 0x0C));
+      if (resp.getSW() != 0x9000) {
+        throw new SignatureCardException("Failed to select MF after RESET: SW=" + Integer.toHexString(resp.getSW()) + ".");
       }
-      log.error("Failed to verify pin: SW="
-              + Integer.toHexString(resp.getSW()));
-      throw new SignatureCardException("[" + Integer.toHexString(resp.getSW()) + "]");
-
     } catch (CardException ex) {
-      log.error("smart card communication failed: " + ex.getMessage());
-      throw new SignatureCardException("smart card communication failed: " + ex.getMessage(), ex);
+      log.error("Failed to select MF after RESET: " + ex.getMessage(), ex);
+      throw new SignatureCardException("Failed to select MF after RESET");
     }
   }
 
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.PINMgmtSignatureCard#getPINSpecs()
+   */
   @Override
-  protected int changePIN(byte kid, char[] oldPin, char[] newPin)
-          throws LockedException, CancelledException, PINFormatException, PINConfirmationException, TimeoutException, PINOperationAbortedException, SignatureCardException {
-    try {
-      byte[] sw;
-      if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_DIRECT)) {
-        log.debug("modify pin on cardreader");
-        sw = reader.modifyPinDirect(getPINModifyStructure(kid));
-      } else if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_START)) {
-        log.debug("modify pin on cardreader");
-        sw = reader.modifyPin(getPINModifyStructure(kid));
-      } else {
-        byte[] cmd = new byte[16];
-        System.arraycopy(encodePINBlock(oldPin), 0, cmd, 0, 8);
-        System.arraycopy(encodePINBlock(newPin), 0, cmd, 8, 8);
-
-        CardChannel channel = getCardChannel();
-
-        ResponseAPDU resp = transmit(channel,
-                new CommandAPDU(0x00, 0x24, 0x00, kid, cmd), false);
-
-        sw = new byte[2];
-        sw[0] = (byte) resp.getSW1();
-        sw[1] = (byte) resp.getSW2();
-      }
-
-      // activates pin (newPIN) if not active
-      if (sw[0] == (byte) 0x90 && sw[1] == (byte) 0x00) {
-        return -1;
-      } else if (sw[0] == (byte) 0x63 && sw[1] == (byte) 0xc0) {
-        throw new LockedException("[63:c0]");
-      } else if (sw[0] == (byte) 0x63 && (sw[1] & 0xf0) >> 4 == 0xc) {
-        return sw[1] & 0x0f;
-      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x83) {
-        //Authentisierungsmethode gesperrt
-        throw new LockedException("[69:83]");
-//      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x84) {
-//        //referenzierte Daten sind reversibel gesperrt (invalidated)
-//        throw new NotActivatedException("[69:84]");
-//      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x85) {
-//        //Benutzungsbedingungen nicht erfüllt
-//        throw new NotActivatedException("[69:85]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x00) {
-        throw new TimeoutException("[64:00]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x01) {
-        throw new CancelledException("[64:01]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x02) {
-        throw new PINConfirmationException("[64:02]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x03) {
-        throw new PINFormatException("[64:03]");
-      } else if (sw[0] == (byte) 0x6a && sw[1] == (byte) 0x80) {
-        log.info("invalid parameter, assume wrong pin size");
-        throw new PINFormatException("[6a:80]");
-      }
-      log.error("Failed to change pin: SW="
-              + SMCCHelper.toString(sw));
-      throw new SignatureCardException(SMCCHelper.toString(sw));
-    } catch (CardException ex) {
-      log.error("smart card communication failed: " + ex.getMessage());
-      throw new SignatureCardException("smart card communication failed: " + ex.getMessage(), ex);
-    }
+  public List<PINSpec> getPINSpecs() {
+    return Arrays.asList(new PINSpec[] {CARD_PIN_SPEC, SS_PIN_SPEC});
   }
 
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.PINMgmtSignatureCard#getPINStatus(at.gv.egiz.smcc.PINSpec)
+   */
   @Override
-  protected void activatePIN(byte kid, char[] pin)
-          throws CancelledException, PINFormatException, PINConfirmationException, TimeoutException, PINOperationAbortedException, SignatureCardException {
+  public PIN_STATE getPINState(PINSpec pinSpec) throws SignatureCardException {
+    
+    CardChannel channel = getCardChannel();
+    
     try {
-      byte[] sw;
-      if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_DIRECT)) {
-        log.debug("activate pin on cardreader");
-        sw = reader.modifyPinDirect(getActivatePINModifyStructure(kid));
-      } else if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_START)) {
-        log.debug("activate pin on cardreader");
-        sw = reader.modifyPin(getActivatePINModifyStructure(kid));
-      } else {
-        CardChannel channel = getCardChannel();
-        ResponseAPDU resp = transmit(channel,
-                new CommandAPDU(0x00, 0x24, 0x01, kid, encodePINBlock(pin)), false);
-
-        sw = new byte[2];
-        sw[0] = (byte) resp.getSW1();
-        sw[1] = (byte) resp.getSW2();
-        log.trace("activate pin returned SW=" + Integer.toHexString(resp.getSW()));
-      }
-
-      if (sw[0] == (byte) 0x90 && sw[1] == (byte) 0x00) {
-        return;
-      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x83) {
-        //Authentisierungsmethode gesperrt
-        throw new LockedException("[69:83]");
-//      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x84) {
-//        //referenzierte Daten sind reversibel gesperrt (invalidated)
-//        throw new NotActivatedException("[69:84]");
-//      } else if (sw[0] == (byte) 0x69 && sw[1] == (byte) 0x85) {
-//        //Benutzungsbedingungen nicht erfüllt
-//        throw new NotActivatedException("[69:85]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x00) {
-        throw new TimeoutException("[64:00]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x01) {
-        throw new CancelledException("[64:01]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x02) {
-        throw new PINConfirmationException("[64:02]");
-      } else if (sw[0] == (byte) 0x64 && sw[1] == (byte) 0x03) {
-        throw new PINFormatException("[64:03]");
+      if (pinSpec.getContextAID() != null) {
+        // SELECT AID
+        execSELECT_AID(channel, pinSpec.getContextAID());
       }
-      log.error("Failed to activate pin: SW="
-              + SMCCHelper.toString(sw));
-      throw new SignatureCardException(SMCCHelper.toString(sw));
-
-    } catch (CardException ex) {
-      log.error("smart card communication failed: " + ex.getMessage());
-      throw new SignatureCardException("smart card communication failed: " + ex.getMessage(), ex);
+      verifyPIN(channel, pinSpec, null, 0);
+      return PIN_STATE.ACTIV;
+    } catch (InterruptedException e) {
+      return PIN_STATE.UNKNOWN;
+    } catch (LockedException e) {
+      return PIN_STATE.BLOCKED;
+    } catch (NotActivatedException e) {
+      return PIN_STATE.NOT_ACTIV;
+    } catch (CardException e) {
+      log.error("Failed to get PIN status.", e);
+      throw new SignatureCardException("Failed to get PIN status.", e);
     }
+    
   }
 
-  /**
-   * BCD encodes the pin, pads with 0xFF and prepends the pins length
-   * @param pin
-   * @return a 8 byte pin block consisting of length byte (0x2X),
-   * the BCD encoded pin and a 0xFF padding
-   */
-  @Override
-  protected byte[] encodePINBlock(char[] pin) throws SignatureCardException {
-    if (pin == null || pin.length > 12) {
-      throw new SignatureCardException("invalid pin: " + pin);
+  public String toString() {
+    return "e-card";
+  }
+  
+  ////////////////////////////////////////////////////////////////////////
+  // PROTECTED METHODS (assume exclusive card access)
+  ////////////////////////////////////////////////////////////////////////
+  
+  protected void verifyPINLoop(CardChannel channel, PINSpec spec, PINProvider provider)
+      throws LockedException, NotActivatedException, SignatureCardException,
+      InterruptedException, CardException {
+    
+    int retries = verifyPIN(channel, spec, null, -1);
+    do {
+      retries = verifyPIN(channel, spec, provider, retries);
+    } while (retries > 0);
+    
+  }
+  
+  protected int verifyPIN(CardChannel channel, PINSpec pinSpec,
+      PINProvider provider, int retries) throws SignatureCardException,
+      LockedException, NotActivatedException, InterruptedException,
+      CardException {
+    
+    VerifyAPDUSpec apduSpec = new VerifyAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x20, (byte) 0x00, pinSpec.getKID(), (byte) 0x08,
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
+        1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4);
+    
+    ResponseAPDU resp;
+    if (provider != null) {
+      resp = reader.verify(channel, apduSpec, pinSpec, provider, retries);
+    } else {
+      resp = channel.transmit(new CommandAPDU(0x00, 0x20, 0x00, pinSpec.getKID()));
+    }
+    
+    if (resp.getSW() == 0x9000) {
+      return -1;
+    }
+    if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    }
+    
+    switch (resp.getSW()) {
+    case 0x6983:
+      // authentication method blocked
+      throw new LockedException();
+    case 0x6984:
+      // reference data not usable
+      throw new NotActivatedException();
+    case 0x6985:
+      // conditions of use not satisfied
+      throw new NotActivatedException();
+  
+    default:
+      String msg = "VERIFY failed. SW=" + Integer.toHexString(resp.getSW()); 
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    }
+    
+  }
+  
+  protected int changePIN(CardChannel channel, PINSpec pinSpec,
+      ChangePINProvider pinProvider, int retries) throws CancelledException,
+      InterruptedException, CardException, SignatureCardException {
+    
+    ChangeReferenceDataAPDUSpec apduSpec = new ChangeReferenceDataAPDUSpec(
+        new byte[] { 
+            (byte) 0x00, (byte) 0x24, (byte) 0x00, pinSpec.getKID(), (byte) 0x10, 
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, 
+            (byte) 0xff, (byte) 0xff, (byte) 0xff, 
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, 
+            (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
+        1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4, 8);
+    
+    ResponseAPDU resp = reader.modify(channel, apduSpec, pinSpec, pinProvider, retries);
+    
+    if (resp.getSW() == 0x9000) {
+      return -1;
     }
-    int numDigits = pin.length;
-    int numBytes = (int) Math.ceil(numDigits/2.0);
+    if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    }
+    
+    switch (resp.getSW()) {
+    case 0x6983:
+      // authentication method blocked
+      throw new LockedException();
+  
+    default:
+      String msg = "CHANGE REFERENCE DATA failed. SW=" + Integer.toHexString(resp.getSW()); 
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    }
+   
+    
+  }
 
-    byte[] pinBlock = new byte[8];
-    pinBlock[0] = (byte) (0x20 | numDigits);
+  protected int activatePIN(CardChannel channel, PINSpec pinSpec,
+      PINProvider provider) throws SignatureCardException,
+      InterruptedException, CardException {
+    
+    NewReferenceDataAPDUSpec apduSpec = new NewReferenceDataAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x20, (byte) 0x01, pinSpec.getKID(), (byte) 0x08,
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
+        1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4);
+    
+    ResponseAPDU resp = reader.activate(channel, apduSpec, pinSpec, provider);
+    
+    switch (resp.getSW()) {
+    
+    case 0x9000:
+      return -1;
 
-    for (int i = 0; i < numBytes; i++) {
-      int p1 = 16*Character.digit(pin[i*2], 16);
-      int p2 = (i*2+1 < numDigits) ? Character.digit(pin[i*2+1], 16) : 0xf;
-      pinBlock[i+1] = (byte) (p1 + p2);
-    }
-    Arrays.fill(pinBlock, numBytes + 1, pinBlock.length, (byte) 0xff);
-//    log.trace("BCD encoded PIN block: " + SMCCHelper.toString(pinBlock));
+    case 0x6983:
+      // authentication method blocked
+      throw new LockedException();
 
-    return pinBlock;
+    default:
+      String msg = "CHANGE REFERENCE DATA failed. SW=" + Integer.toHexString(resp.getSW()); 
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    }
+    
   }
   
-  private byte[] getPINVerifyStructure(byte kid) {
-      byte bTimeOut = reader.getbTimeOut(); 
-      byte bTimeOut2 = reader.getbTimeOut2(); // time out after first entry
-      byte bmFormatString = (byte) 0x89;      // 1 0001 0 01 
-                                              // ^------------ System unit = byte
-                                              //   ^^^^------- PIN position in the frame = 1 byte
-                                              //        ^----- PIN justification left
-                                              //          ^^-- BCD format
-      byte bmPINBlockString = (byte) 0x47;    // 0100 0111
-                                              // ^^^^--------- PIN length size: 4 bits
-                                              //      ^^^^---- Length PIN = 7 bytes
-      byte bmPINLengthFormat = (byte) 0x04;   // 000 0 0100
-                                              //     ^-------- System bit units is bit
-                                              //       ^^^^--- PIN length is at the 4th position bit
-      //TODO compare ints, not bytes
-      byte wPINMaxExtraDigitL =               // Max=12 digits 
-              (reader.getwPINMaxExtraDigitL() < (byte) 0x0c) ?
-                reader.getwPINMaxExtraDigitL() : (byte) 0x0c;
-      byte wPINMaxExtraDigitH =               // Min=4/6 digits TODO card/ss pin (min: 4/6)
-              (reader.getwPINMaxExtraDigitH() > (byte) 0x04) ?
-                reader.getwPINMaxExtraDigitH() : (byte) 0x04;
-      byte bEntryValidationCondition = 
-              reader.getbEntryValidationCondition();  
-      byte bNumberMessage = (byte) 0x00;      // No message
-      byte wLangIdL = (byte) 0x0C;            // - English?
-      byte wLangIdH = (byte) 0x04;            // \
-      byte bMsgIndex = (byte) 0x00;           // Default Msg
-
-      byte[] apdu = new byte[] {
-        (byte) 0x00, (byte) 0x20, (byte) 0x00, kid, (byte) 0x08,  // CLA INS P1 P2 LC
-        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,               // Data
-        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff                // ...
-      };
-
-      int offset = 0;
-      byte[] pinVerifyStructure = new byte[offset + 19 + apdu.length];
-      pinVerifyStructure[offset++] = bTimeOut;
-      pinVerifyStructure[offset++] = bTimeOut2;
-      pinVerifyStructure[offset++] = bmFormatString;
-      pinVerifyStructure[offset++] = bmPINBlockString;
-      pinVerifyStructure[offset++] = bmPINLengthFormat;
-      pinVerifyStructure[offset++] = wPINMaxExtraDigitL;
-      pinVerifyStructure[offset++] = wPINMaxExtraDigitH;
-      pinVerifyStructure[offset++] = bEntryValidationCondition;
-      pinVerifyStructure[offset++] = bNumberMessage;
-      pinVerifyStructure[offset++] = wLangIdL;
-      pinVerifyStructure[offset++] = wLangIdH;
-      pinVerifyStructure[offset++] = bMsgIndex;
-      
-      pinVerifyStructure[offset++] = 0x00;
-      pinVerifyStructure[offset++] = 0x00;
-      pinVerifyStructure[offset++] = 0x00;
-      
-      pinVerifyStructure[offset++] = (byte) apdu.length;
-      pinVerifyStructure[offset++] = 0x00;
-      pinVerifyStructure[offset++] = 0x00;
-      pinVerifyStructure[offset++] = 0x00;
-      System.arraycopy(apdu, 0, pinVerifyStructure, offset, apdu.length);
-
-      return pinVerifyStructure;
+  protected void execSELECT_MF(CardChannel channel) throws CardException, SignatureCardException {
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0xA4, 0x00, 0x0C));
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("Failed to select MF: SW="
+          + Integer.toHexString(resp.getSW()) + ".");
+    }
   }
 
-  private byte[] getPINModifyStructure(byte kid) {
-
-      byte bTimeOut = reader.getbTimeOut();   // s.o.
-      byte bTimeOut2 = reader.getbTimeOut2(); // s.o.
-      byte bmFormatString = (byte) 0x89;      // s.o.
-      byte bmPINBlockString = (byte) 0x47;    // s.o.
-      byte bmPINLengthFormat = (byte) 0x04;   // s.o.
-      byte bInsertionOffsetOld = (byte) 0x00; // insertion position offset in bytes
-      byte bInsertionOffsetNew = (byte) 0x08; // (add 1 from bmFormatString b3)
-      byte wPINMaxExtraDigitL = 
-              (reader.getwPINMaxExtraDigitL() < (byte) 0x0c) ?
-                reader.getwPINMaxExtraDigitL() : (byte) 0x0c;
-      byte wPINMaxExtraDigitH =               // Min=4/6 digits TODO card/ss pin (min: 4/6)
-              (reader.getwPINMaxExtraDigitH() > (byte) 0x04) ?
-                reader.getwPINMaxExtraDigitH() : (byte) 0x04;
-      byte bConfirmPIN = (byte) 0x03;         // current pin entry + confirmation
-      byte bEntryValidationCondition =
-              reader.getbEntryValidationCondition();
-      byte bNumberMessage = (byte) 0x03;      // 3 messages
-      byte wLangIdL = (byte) 0x0C;            
-      byte wLangIdH = (byte) 0x04;            
-      byte bMsgIndex1 = (byte) 0x00;          // insertion
-      byte bMsgIndex2 = (byte) 0x01;          // modification
-      byte bMsgIndex3 = (byte) 0x02;          // confirmation
-
-      byte[] apdu = new byte[] {
-        (byte) 0x00, (byte) 0x24, (byte) 0x00, kid, (byte) 0x10, 
-        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,      
-        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,      
-        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,      
-        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff       
-      };
-
-      int offset = 0;
-      byte[] pinModifyStructure = new byte[offset + 24 + apdu.length];
-      pinModifyStructure[offset++] = bTimeOut;
-      pinModifyStructure[offset++] = bTimeOut2;
-      pinModifyStructure[offset++] = bmFormatString;
-      pinModifyStructure[offset++] = bmPINBlockString;
-      pinModifyStructure[offset++] = bmPINLengthFormat;
-      pinModifyStructure[offset++] = bInsertionOffsetOld;
-      pinModifyStructure[offset++] = bInsertionOffsetNew;
-      pinModifyStructure[offset++] = wPINMaxExtraDigitL;
-      pinModifyStructure[offset++] = wPINMaxExtraDigitH;
-      pinModifyStructure[offset++] = bConfirmPIN;
-      pinModifyStructure[offset++] = bEntryValidationCondition;
-      pinModifyStructure[offset++] = bNumberMessage;
-      pinModifyStructure[offset++] = wLangIdL;
-      pinModifyStructure[offset++] = wLangIdH;
-      pinModifyStructure[offset++] = bMsgIndex1;
-      pinModifyStructure[offset++] = bMsgIndex2;
-      pinModifyStructure[offset++] = bMsgIndex3;
-
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-
-      pinModifyStructure[offset++] = (byte) apdu.length;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      System.arraycopy(apdu, 0, pinModifyStructure, offset, apdu.length);
-
-//      log.debug("PIN MODIFY " + SMCCHelper.toString(pinModifyStructure));
-      return pinModifyStructure;
+  protected byte[] execSELECT_AID(CardChannel channel, byte[] aid)
+      throws SignatureCardException, CardException {
+    
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0xA4, 0x04, 0x00, aid, 256));
+    
+    if (resp.getSW() == 0x6A82) {
+      String msg = "File or application not found AID="
+          + SMCCHelper.toString(aid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.info(msg);
+      throw new FileNotFoundException(msg);
+    } else if (resp.getSW() != 0x9000) {
+      String msg = "Failed to select application AID="
+          + SMCCHelper.toString(aid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    } else {
+      return resp.getBytes();
+    }
+    
   }
-  private byte[] getActivatePINModifyStructure(byte kid) {
-
-      byte bTimeOut = reader.getbTimeOut();   
-      byte bTimeOut2 = reader.getbTimeOut2(); 
-      byte bmFormatString = (byte) 0x89;      
-      byte bmPINBlockString = (byte) 0x47;    
-      byte bmPINLengthFormat = (byte) 0x04;   
-      byte bInsertionOffsetOld = (byte) 0x00; // ignored
-      byte bInsertionOffsetNew = (byte) 0x00; 
-      byte wPINMaxExtraDigitL =
-              (reader.getwPINMaxExtraDigitL() < (byte) 0x12) ?
-                reader.getwPINMaxExtraDigitL() : (byte) 0x12;
-      byte wPINMaxExtraDigitH =               // Min=4/6 digits TODO card/ss pin (min: 4/6)
-              (reader.getwPINMaxExtraDigitH() > (byte) 0x04) ?
-                reader.getwPINMaxExtraDigitH() : (byte) 0x04;
-      byte bConfirmPIN = (byte) 0x01;         // confirm, no current pin entry
-      byte bEntryValidationCondition =
-              reader.getbEntryValidationCondition();
-      byte bNumberMessage = (byte) 0x02;      // 2 messages
-      byte wLangIdL = (byte) 0x0c;
-      byte wLangIdH = (byte) 0x04;
-      byte bMsgIndex1 = (byte) 0x01;          // modification prompt
-      byte bMsgIndex2 = (byte) 0x02;          // confirmation prompt
-      byte bMsgIndex3 = (byte) 0x00;           
-
-      byte[] apdu = new byte[] {
-        (byte) 0x00, (byte) 0x24, (byte) 0x01, kid, (byte) 0x08,
-        (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff,
-        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff
-      };
-
-      int offset = 0;
-      byte[] pinModifyStructure = new byte[offset + 24 + apdu.length];
-      pinModifyStructure[offset++] = bTimeOut;
-      pinModifyStructure[offset++] = bTimeOut2;
-      pinModifyStructure[offset++] = bmFormatString;
-      pinModifyStructure[offset++] = bmPINBlockString;
-      pinModifyStructure[offset++] = bmPINLengthFormat;
-      pinModifyStructure[offset++] = bInsertionOffsetOld;
-      pinModifyStructure[offset++] = bInsertionOffsetNew;
-      pinModifyStructure[offset++] = wPINMaxExtraDigitL;
-      pinModifyStructure[offset++] = wPINMaxExtraDigitH;
-      pinModifyStructure[offset++] = bConfirmPIN;
-      pinModifyStructure[offset++] = bEntryValidationCondition;
-      pinModifyStructure[offset++] = bNumberMessage;
-      pinModifyStructure[offset++] = wLangIdL;
-      pinModifyStructure[offset++] = wLangIdH;
-      pinModifyStructure[offset++] = bMsgIndex1;
-      pinModifyStructure[offset++] = bMsgIndex2;
-      pinModifyStructure[offset++] = bMsgIndex3;
-
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-
-      pinModifyStructure[offset++] = (byte) apdu.length;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      pinModifyStructure[offset++] = 0x00;
-      System.arraycopy(apdu, 0, pinModifyStructure, offset, apdu.length);
-
-//      log.debug("PIN MODIFY " + SMCCHelper.toString(pinModifyStructure));
-      return pinModifyStructure;
+  
+  protected byte[] execSELECT_FID(CardChannel channel, byte[] fid)
+      throws SignatureCardException, CardException {
+    
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0xA4, 0x02, 0x04, fid, 256));
+    
+    if (resp.getSW() == 0x6A82) {
+      String msg = "File or application not found FID="
+          + SMCCHelper.toString(fid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.info(msg);
+      throw new FileNotFoundException(msg);
+    } else if (resp.getSW() != 0x9000) {
+      String msg = "Failed to select application FID="
+          + SMCCHelper.toString(fid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.error(msg);
+      throw new SignatureCardException(msg);
+    } else {
+      return resp.getBytes();
+    }
+    
   }
+  
+  protected void execMSE(CardChannel channel, int p1, int p2, byte[] data)
+      throws CardException, SignatureCardException {
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0x22, p1, p2, data));
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("MSE:SET DST failed: SW="
+          + Integer.toHexString(resp.getSW()));
+    }
+  }
+  
+  protected void execPSO_HASH(CardChannel channel, byte[] hash) throws CardException, SignatureCardException {
+    byte[] data = new byte[hash.length + 2];
+    data[0] = (byte) 0x90; // tag
+    data[1] = (byte) (hash.length); // length
+    System.arraycopy(hash, 0, data, 2, hash.length);
 
-  @Override
-  public void reset() throws SignatureCardException {
-    try {
-      super.reset();
-      log.debug("select MF (e-card workaround)");
-      CardChannel channel = getCardChannel();
-      ResponseAPDU resp = transmit(channel, new CommandAPDU(0x00, 0xA4, 0x00, 0x0C));
-      if (resp.getSW() != 0x9000) {
-        throw new SignatureCardException("Failed to select MF after RESET: SW=" + Integer.toHexString(resp.getSW()) + ".");
-      }
-    } catch (CardException ex) {
-      log.error("Failed to select MF after RESET: " + ex.getMessage(), ex);
-      throw new SignatureCardException("Failed to select MF after RESET");
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0x2A, 0x90, 0xA0, data));
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("PSO:HASH failed: SW="
+          + Integer.toHexString(resp.getSW()));
     }
   }
 
-  public String toString() {
-    return "e-card";
+  protected byte[] execPSO_COMPUTE_DIGITAL_SIGNATURE(CardChannel channel)
+      throws CardException, SignatureCardException {
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0x2A, 0x9E, 0x9A, 256));
+    if (resp.getSW() == 0x6982) {
+      throw new SecurityStatusNotSatisfiedException();
+    } else if (resp.getSW() == 0x6983) {
+      throw new LockedException();
+    } else if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException(
+          "PSO: COMPUTE DIGITAL SIGNATRE failed: SW="
+              + Integer.toHexString(resp.getSW()));
+    } else {
+      return resp.getData();
+    }
   }
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
index da084e0d..279362c0 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
@@ -14,10 +14,8 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-
 package at.gv.egiz.smcc;
 
-import at.gv.egiz.smcc.ccid.CCID;
 import java.io.ByteArrayOutputStream;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
@@ -37,20 +35,20 @@ import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
-import java.util.ArrayList;
 import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.List;
 import java.util.Locale;
 
-import java.util.Map;
 import javax.smartcardio.Card;
+import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
 import javax.smartcardio.CardTerminal;
+import javax.smartcardio.ResponseAPDU;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import at.gv.egiz.smcc.ccid.CCID;
+
 /**
  *
  * @author mcentner
@@ -395,31 +393,6 @@ public class SWCard implements SignatureCard {
   public void reset() throws SignatureCardException {
   }
 
-  @Override
-  public List<PINSpec> getPINSpecs() {
-    return new ArrayList<PINSpec>();
-  }
-
-  @Override
-  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
-          throws LockedException, NotActivatedException, SignatureCardException {
-  }
-
-  @Override
-  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider) throws SignatureCardException {
-    throw new UnsupportedOperationException("Not supported yet.");
-  }
-
-  @Override
-  public void unblockPIN(PINSpec pinSpec, PINProvider pukProvider) throws CancelledException, SignatureCardException, InterruptedException {
-    throw new UnsupportedOperationException("Not supported yet.");
-  }
-
-  @Override
-  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider) throws LockedException, NotActivatedException, CancelledException, SignatureCardException, InterruptedException {
-    throw new UnsupportedOperationException("Not supported yet.");
-  }
-
   @Override
   public CCID getReader() {
     return new CCID() {
@@ -488,6 +461,32 @@ public class SWCard implements SignatureCard {
       public void setDisablePinpad(boolean disable) {
         throw new UnsupportedOperationException("Not supported yet.");
       }
+
+      @Override
+      public ResponseAPDU verify(CardChannel channel, VerifyAPDUSpec apduSpec,
+          PINSpec pinSpec, PINProvider provider, int retries)
+          throws CancelledException, InterruptedException, CardException,
+          SignatureCardException {
+        throw new UnsupportedOperationException("Not supported yet.");
+      }
+
+      @Override
+      public ResponseAPDU activate(CardChannel channel,
+          NewReferenceDataAPDUSpec apduSpec, PINSpec pinSpec,
+          PINProvider provider) throws CancelledException,
+          InterruptedException, CardException, SignatureCardException {
+        // TODO Auto-generated method stub
+        return null;
+      }
+
+      @Override
+      public ResponseAPDU modify(CardChannel channel,
+          ChangeReferenceDataAPDUSpec apduSpec, PINSpec pinSpec,
+          ChangePINProvider provider, int retries) throws CancelledException,
+          InterruptedException, CardException, SignatureCardException {
+        // TODO Auto-generated method stub
+        return null;
+      }
     };
   }
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
index c06074f2..1a163783 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
@@ -1,35 +1,23 @@
-//Copyright (C) 2002 IAIK
-//http://jce.iaik.at
-//
-//Copyright (C) 2003 Stiftung Secure Information and 
-//                 Communication Technologies SIC
-//http://www.sic.st
-//
-//All rights reserved.
-//
-//This source is provided for inspection purposes and recompilation only,
-//unless specified differently in a contract with IAIK. This source has to
-//be kept in strict confidence and must not be disclosed to any third party
-//under any circumstances. Redistribution in source and binary forms, with
-//or without modification, are <not> permitted in any case!
-//
-//THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-//ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-//IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-//ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-//FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-//DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-//OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-//HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-//LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-//OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-//SUCH DAMAGE.
-//
-//
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
 package at.gv.egiz.smcc;
 
 import at.gv.egiz.smcc.ccid.CCID;
-import java.util.List;
 import java.util.Locale;
 
 import javax.smartcardio.Card;
@@ -76,6 +64,11 @@ public interface SignatureCard {
       return keyboxName_;
     }
 
+    @Override
+    public String toString() {
+      return keyboxName_;
+    }
+
   }
 
   public void init(Card card, CardTerminal cardTerminal);
@@ -118,24 +111,6 @@ public interface SignatureCard {
   public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
       PINProvider provider) throws SignatureCardException, InterruptedException;
 
-  /**
-   * Get the KIDs for all available PINs and the corresponding PINSpecs
-   * @return array of KIDs
-   */
-  public List<PINSpec> getPINSpecs();
-
-  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
-          throws LockedException, NotActivatedException, CancelledException, SignatureCardException, InterruptedException;
-
-  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider)
-          throws LockedException, NotActivatedException, CancelledException, PINFormatException, SignatureCardException, InterruptedException;
-
-  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider)
-          throws CancelledException, SignatureCardException, InterruptedException;
-
-  public void unblockPIN(PINSpec pinSpec, PINProvider pukProvider)
-          throws CancelledException, SignatureCardException, InterruptedException;
-
   public CCID getReader();
 
   /**
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardException.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardException.java
index f296f3a2..48b4646a 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardException.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardException.java
@@ -1,31 +1,20 @@
-//Copyright (C) 2002 IAIK
-//http://jce.iaik.at
-//
-//Copyright (C) 2003 Stiftung Secure Information and 
-//                 Communication Technologies SIC
-//http://www.sic.st
-//
-//All rights reserved.
-//
-//This source is provided for inspection purposes and recompilation only,
-//unless specified differently in a contract with IAIK. This source has to
-//be kept in strict confidence and must not be disclosed to any third party
-//under any circumstances. Redistribution in source and binary forms, with
-//or without modification, are <not> permitted in any case!
-//
-//THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-//ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-//IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-//ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-//FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-//DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-//OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-//HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-//LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-//OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-//SUCH DAMAGE.
-//
-//
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
 package at.gv.egiz.smcc;
 
 public class SignatureCardException extends Exception {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
index 5146c275..f46f8657 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
@@ -1,31 +1,20 @@
-//Copyright (C) 2002 IAIK
-//http://jce.iaik.at
-//
-//Copyright (C) 2003 Stiftung Secure Information and 
-//                 Communication Technologies SIC
-//http://www.sic.st
-//
-//All rights reserved.
-//
-//This source is provided for inspection purposes and recompilation only,
-//unless specified differently in a contract with IAIK. This source has to
-//be kept in strict confidence and must not be disclosed to any third party
-//under any circumstances. Redistribution in source and binary forms, with
-//or without modification, are <not> permitted in any case!
-//
-//THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-//ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-//IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-//ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-//FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-//DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-//OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-//HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-//LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-//OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-//SUCH DAMAGE.
-//
-//
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
 package at.gv.egiz.smcc;
 
 import java.util.ArrayList;
@@ -233,7 +222,11 @@ public class SignatureCardFactory {
         try {
           Class<?> scClass = cl.loadClass(supportedCard.getImplementationClassName());
           sc = (SignatureCard) scClass.newInstance();
+          
+          sc = ExclSignatureCardProxy.newInstance(sc);
+          
           sc.init(card, cardTerminal);
+
           return sc;
 
         } catch (ClassNotFoundException e) {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/VerifyAPDUSpec.java b/smcc/src/main/java/at/gv/egiz/smcc/VerifyAPDUSpec.java
new file mode 100644
index 00000000..23c1f0fd
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/VerifyAPDUSpec.java
@@ -0,0 +1,200 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class VerifyAPDUSpec {
+  
+  public static final int PIN_JUSTIFICATION_LEFT = 0;
+  
+  public static final int PIN_JUSTIFICATION_RIGHT = 1;
+  
+  public static final int PIN_FORMAT_BINARY = 0;
+  
+  public static final int PIN_FORMAT_BCD = 1;
+  
+  public static final int PIN_FORMAT_ASCII = 2; 
+  
+  /**
+   * The APDU template.
+   */
+  protected byte[] apdu;
+  
+  /**
+   * The PIN position in bytes.
+   */
+  protected int pinPosition;
+  
+  /**
+   * The PIN justification (either {@link #PIN_JUSTIFICATION_LEFT} or
+   * {@link #PIN_JUSTIFICATION_RIGHT}).
+   */
+  protected int pinJustification = PIN_JUSTIFICATION_LEFT;
+
+  /**
+   * The PIN encoding format (one of {@value #PIN_FORMAT_BCD},
+   * {@link #PIN_FORMAT_ASCII}).
+   */
+  protected int pinFormat;
+
+  /**
+   * The size of the PIN length in bits or 0 for no PIN length. (Default: 0)
+   */
+  protected int pinLengthSize = 0;
+  
+  /**
+   * The PIN length in the template in bytes.
+   */
+  protected int pinLength;
+  
+  /**
+   * The PIN length position in the template in bits or 0 for no PIN length.
+   * (Default: 0)
+   */
+  protected int pinLengthPos = 0;
+
+  /**
+   * @param apdu
+   * @param pinPosition
+   * @param pinFormat
+   * @param pinLength TODO
+   */
+  public VerifyAPDUSpec(byte[] apdu, int pinPosition, int pinFormat, int pinLength) {
+    super();
+    this.apdu = apdu;
+    this.pinPosition = pinPosition;
+    this.pinFormat = pinFormat;
+    this.pinLength = pinLength;
+  }
+
+  /**
+   * @param apdu
+   * @param pinPosition
+   * @param pinFormat
+   * @param pinLength
+   * @param pinLengthSize
+   * @param pinLengthPos
+   */
+  public VerifyAPDUSpec(byte[] apdu, int pinPosition, int pinFormat,
+      int pinLength, int pinLengthSize, int pinLengthPos) {
+    super();
+    this.apdu = apdu;
+    this.pinPosition = pinPosition;
+    this.pinFormat = pinFormat;
+    this.pinLength = pinLength;
+    this.pinLengthSize = pinLengthSize;
+    this.pinLengthPos = pinLengthPos;
+  }
+
+  /**
+   * @return the apdu
+   */
+  public byte[] getApdu() {
+    return apdu;
+  }
+
+  /**
+   * @param apdu the apdu to set
+   */
+  public void setApdu(byte[] apdu) {
+    this.apdu = apdu;
+  }
+
+  /**
+   * @return the pinPosition
+   */
+  public int getPinPosition() {
+    return pinPosition;
+  }
+
+  /**
+   * @param pinPosition the pinPosition to set
+   */
+  public void setPinPosition(int pinPosition) {
+    this.pinPosition = pinPosition;
+  }
+
+  /**
+   * @return the pinJustification
+   */
+  public int getPinJustification() {
+    return pinJustification;
+  }
+
+  /**
+   * @param pinJustification the pinJustification to set
+   */
+  public void setPinJustification(int pinJustification) {
+    this.pinJustification = pinJustification;
+  }
+
+  /**
+   * @return the pinFormat
+   */
+  public int getPinFormat() {
+    return pinFormat;
+  }
+
+  /**
+   * @param pinFormat the pinFormat to set
+   */
+  public void setPinFormat(int pinFormat) {
+    this.pinFormat = pinFormat;
+  }
+
+  /**
+   * @return the pinLengthSize
+   */
+  public int getPinLengthSize() {
+    return pinLengthSize;
+  }
+
+  /**
+   * @param pinLengthSize the pinLengthSize to set
+   */
+  public void setPinLengthSize(int pinLengthSize) {
+    this.pinLengthSize = pinLengthSize;
+  }
+
+  /**
+   * @return the pinLength
+   */
+  public int getPinLength() {
+    return pinLength;
+  }
+
+  /**
+   * @param pinLength the pinLength to set
+   */
+  public void setPinLength(int pinLength) {
+    this.pinLength = pinLength;
+  }
+
+  /**
+   * @return the pinLengthPos
+   */
+  public int getPinLengthPos() {
+    return pinLengthPos;
+  }
+
+  /**
+   * @param pinLengthPos the pinLengthPos to set
+   */
+  public void setPinLengthPos(int pinLengthPos) {
+    this.pinLengthPos = pinLengthPos;
+  }
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java b/smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java
index 2972f3b8..d73ff0e9 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ccid/CCID.java
@@ -16,9 +16,20 @@
  */
 package at.gv.egiz.smcc.ccid;
 
-import at.gv.egiz.smcc.*;
 import javax.smartcardio.Card;
+import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.ChangePINProvider;
+import at.gv.egiz.smcc.ChangeReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.NewReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.PINOperationAbortedException;
+import at.gv.egiz.smcc.PINProvider;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.VerifyAPDUSpec;
 
 /**
  *
@@ -66,6 +77,16 @@ public interface CCID {
   
   boolean hasFeature(Byte feature);
 
+  ResponseAPDU verify(CardChannel channel, VerifyAPDUSpec apduSpec,
+      PINSpec pinSpec, PINProvider provider, int retries)
+      throws CancelledException, InterruptedException, CardException,
+      SignatureCardException;
+
+  ResponseAPDU modify(CardChannel channel,
+      ChangeReferenceDataAPDUSpec apduSpec, PINSpec pinSpec,
+      ChangePINProvider provider, int retries) throws CancelledException,
+      InterruptedException, CardException, SignatureCardException;
+  
   /**
    * not supported by OMNIKEY CardMan 3621 with ACOS card
    * @param PIN_VERIFY
@@ -107,4 +128,9 @@ public interface CCID {
   byte getwPINMaxExtraDigitL();
   byte getwPINMaxExtraDigitH();
   byte getbEntryValidationCondition();
+
+  ResponseAPDU activate(CardChannel channel, NewReferenceDataAPDUSpec apduSpec,
+      PINSpec pinSpec, PINProvider provider)
+      throws CancelledException, InterruptedException, CardException,
+      SignatureCardException;
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ccid/DefaultReader.java b/smcc/src/main/java/at/gv/egiz/smcc/ccid/DefaultReader.java
index 580b9379..682390e3 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ccid/DefaultReader.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ccid/DefaultReader.java
@@ -16,16 +16,34 @@
  */
 package at.gv.egiz.smcc.ccid;
 
-import at.gv.egiz.smcc.*;
-import at.gv.egiz.smcc.util.SMCCHelper;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
+
 import javax.smartcardio.Card;
+import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
 import javax.smartcardio.CardTerminal;
+import javax.smartcardio.ResponseAPDU;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.ChangePINProvider;
+import at.gv.egiz.smcc.ChangeReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.NewReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.PINFormatException;
+import at.gv.egiz.smcc.PINOperationAbortedException;
+import at.gv.egiz.smcc.PINProvider;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.TimeoutException;
+import at.gv.egiz.smcc.VerifyAPDUSpec;
+import at.gv.egiz.smcc.util.ISO7816Utils;
+import at.gv.egiz.smcc.util.SMCCHelper;
+
 /**
  *
  * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
@@ -415,4 +433,339 @@ public class DefaultReader implements CCID {
     }
     return resp;
   }
+  
+  
+  
+  protected byte[] createPINModifyStructure(NewReferenceDataAPDUSpec apduSpec, PINSpec pinSpec) {
+    
+    ByteArrayOutputStream s = new ByteArrayOutputStream();
+    // bTimeOut
+    s.write(getbTimeOut());
+    // bTimeOut2
+    s.write(getbTimeOut2());
+    // bmFormatString
+    s.write(1 << 7 // system unit = byte
+        | (0xF & apduSpec.getPinPosition()) << 3
+        | (0x1 & apduSpec.getPinJustification() << 2)
+        | (0x3 & apduSpec.getPinFormat()));
+    // bmPINBlockString
+    s.write((0xF & apduSpec.getPinLengthSize()) << 4
+        | (0xF & apduSpec.getPinLength()));
+    // bmPINLengthFormat
+    s.write(// system unit = bit
+        (0xF & apduSpec.getPinLengthPos()));
+    // bInsertionOffsetOld
+    s.write(0x00);
+    // bInsertionOffsetNew
+    s.write(apduSpec.getPinInsertionOffsetNew());
+    // wPINMaxExtraDigit
+    s.write(Math.min(pinSpec.getMaxLength(), getwPINMaxExtraDigitL()));
+    s.write(Math.max(pinSpec.getMinLength(), getwPINMaxExtraDigitH()));
+    // bConfirmPIN
+    s.write(0x01);
+    // bEntryValidationCondition
+    s.write(getbEntryValidationCondition());
+    // bNumberMessage
+    s.write(0x02);
+    // wLangId
+    s.write(0x0C);
+    s.write(0x04);
+    // bMsgIndex1
+    s.write(0x01);
+    // bMsgIndex2
+    s.write(0x02);
+    // bMsgIndex3
+    s.write(0x00);
+    
+    // bTeoPrologue
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // ulDataLength
+    s.write(apduSpec.getApdu().length);
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // abData
+    try {
+      s.write(apduSpec.getApdu());
+    } catch (IOException e) {
+      // As we are dealing with ByteArrayOutputStreams no exception is to be
+      // expected.
+      throw new RuntimeException(e);
+    }
+    
+    return s.toByteArray();
+
+  }
+  
+  protected byte[] createPINModifyStructure(ChangeReferenceDataAPDUSpec apduSpec, PINSpec pinSpec) {
+    
+    ByteArrayOutputStream s = new ByteArrayOutputStream();
+    // bTimeOut
+    s.write(getbTimeOut());
+    // bTimeOut2
+    s.write(getbTimeOut2());
+    // bmFormatString
+    s.write(1 << 7 // system unit = byte
+        | (0xF & apduSpec.getPinPosition()) << 3
+        | (0x1 & apduSpec.getPinJustification() << 2)
+        | (0x3 & apduSpec.getPinFormat()));
+    // bmPINBlockString
+    s.write((0xF & apduSpec.getPinLengthSize()) << 4
+        | (0xF & apduSpec.getPinLength()));
+    // bmPINLengthFormat
+    s.write(// system unit = bit
+        (0xF & apduSpec.getPinLengthPos()));
+    // bInsertionOffsetOld
+    s.write(apduSpec.getPinInsertionOffsetOld());
+    // bInsertionOffsetNew
+    s.write(apduSpec.getPinInsertionOffsetNew());
+    // wPINMaxExtraDigit
+    s.write(Math.min(pinSpec.getMaxLength(), getwPINMaxExtraDigitL()));
+    s.write(Math.max(pinSpec.getMinLength(), getwPINMaxExtraDigitH()));
+    // bConfirmPIN
+    s.write(0x03);
+    // bEntryValidationCondition
+    s.write(getbEntryValidationCondition());
+    // bNumberMessage
+    s.write(0x03);
+    // wLangId
+    s.write(0x0C);
+    s.write(0x04);
+    // bMsgIndex1
+    s.write(0x00);
+    // bMsgIndex2
+    s.write(0x01);
+    // bMsgIndex3
+    s.write(0x02);
+    
+    // bTeoPrologue
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // ulDataLength
+    s.write(apduSpec.getApdu().length);
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // abData
+    try {
+      s.write(apduSpec.getApdu());
+    } catch (IOException e) {
+      // As we are dealing with ByteArrayOutputStreams no exception is to be
+      // expected.
+      throw new RuntimeException(e);
+    }
+    
+    return s.toByteArray();
+
+  }
+  
+  protected byte[] createPINVerifyStructure(VerifyAPDUSpec apduSpec, PINSpec pinSpec) {
+    
+    ByteArrayOutputStream s = new ByteArrayOutputStream();
+    // bTimeOut
+    s.write(getbTimeOut());
+    // bTimeOut2
+    s.write(getbTimeOut2());
+    // bmFormatString
+    s.write(1 << 7 // system unit = byte
+        | (0xF & apduSpec.getPinPosition()) << 3
+        | (0x1 & apduSpec.getPinJustification() << 2)
+        | (0x3 & apduSpec.getPinFormat()));
+    // bmPINBlockString
+    s.write((0xF & apduSpec.getPinLengthSize()) << 4
+        | (0xF & apduSpec.getPinLength()));
+    // bmPINLengthFormat
+    s.write(// system unit = bit
+        (0xF & apduSpec.getPinLengthPos()));
+    // wPINMaxExtraDigit
+    s.write(Math.min(pinSpec.getMaxLength(), getwPINMaxExtraDigitL())); // max PIN length
+    s.write(Math.max(pinSpec.getMinLength(), getwPINMaxExtraDigitH())); // min PIN length
+    // bEntryValidationCondition
+    s.write(getbEntryValidationCondition());
+    // bNumberMessage
+    s.write(0xFF);
+    // wLangId
+    s.write(0x0C);
+    s.write(0x04);
+    // bMsgIndex
+    s.write(0x00);
+    // bTeoPrologue
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // ulDataLength
+    s.write(apduSpec.getApdu().length);
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // abData
+    try {
+      s.write(apduSpec.getApdu());
+    } catch (IOException e) {
+      // As we are dealing with ByteArrayOutputStreams no exception is to be
+      // expected.
+      throw new RuntimeException(e);
+    }
+    
+    return s.toByteArray();
+    
+  }
+  
+  @Override
+  public ResponseAPDU verify(CardChannel channel, VerifyAPDUSpec apduSpec,
+      PINSpec pinSpec, PINProvider provider, int retries)
+      throws CancelledException, InterruptedException, CardException,
+      SignatureCardException {
+    
+    char[] pin = provider.providePIN(pinSpec, retries);
+
+    ResponseAPDU resp = null;
+    if (!disablePinpad && hasFeature(FEATURE_MODIFY_PIN_DIRECT)) {
+      log.debug("VERIFY using " + FEATURES[FEATURE_VERIFY_PIN_DIRECT] + ".");
+      byte[] s = createPINVerifyStructure(apduSpec, pinSpec);
+      resp = new ResponseAPDU(verifyPinDirect(s));
+    } else if (!disablePinpad && hasFeature(FEATURE_VERIFY_PIN_START)) {
+      log.debug("VERIFY using " + FEATURES[FEATURE_MODIFY_PIN_START] + ".");
+      byte[] s = createPINVerifyStructure(apduSpec, pinSpec);
+      resp = new ResponseAPDU(verifyPin(s));
+    }
+      
+    if (resp != null) {
+      
+      switch (resp.getSW()) {
+
+      case 0x6400:
+        log.debug("SPE operation timed out.");
+        throw new TimeoutException();
+      case 0x6401:
+        log.debug("SPE operation was cancelled by the 'Cancel' button.");
+        throw new CancelledException();
+      case 0x6103:
+        log.debug("User entered too short or too long PIN "
+            + "regarding MIN/MAX PIN length.");
+        throw new PINFormatException();
+      case 0x6480:
+        log.debug("SPE operation was aborted by the 'Cancel' operation "
+            + "at the host system.");
+      case 0x6b80:
+        log.info("Invalid parameter in passed structure.");
+
+      default:
+        return resp;
+      }
+      
+    } else {
+      log.debug("VERIFY using software pin entry.");
+      return channel.transmit(ISO7816Utils.createVerifyAPDU(apduSpec, pin));
+    }    
+    
+  }
+
+  @Override
+  public ResponseAPDU modify(CardChannel channel,
+      ChangeReferenceDataAPDUSpec apduSpec, PINSpec pinSpec,
+      ChangePINProvider provider, int retries) throws CancelledException,
+      InterruptedException, CardException, SignatureCardException {
+    
+    char[] oldPin = provider.provideOldPIN(pinSpec, retries);
+    char[] newPin = provider.providePIN(pinSpec, retries);
+    
+    ResponseAPDU resp = null;
+    if (!disablePinpad && hasFeature(FEATURE_MODIFY_PIN_DIRECT)) {
+      log.debug("MODIFY using " + FEATURES[FEATURE_MODIFY_PIN_DIRECT] + ".");
+      byte[] s = createPINModifyStructure(apduSpec, pinSpec);
+      resp = new ResponseAPDU(modifyPinDirect(s));
+    } else if (!disablePinpad && hasFeature(FEATURE_MODIFY_PIN_START)) {
+      log.debug("MODIFY using " + FEATURES[FEATURE_MODIFY_PIN_START] + ".");
+      byte[] s = createPINModifyStructure(apduSpec, pinSpec);
+      resp = new ResponseAPDU(modifyPin(s));
+    }
+    
+    if (resp != null) {
+      
+      switch (resp.getSW()) {
+
+      case 0x6400:
+        log.debug("SPE operation timed out.");
+        throw new TimeoutException();
+      case 0x6401:
+        log.debug("SPE operation was cancelled by the 'Cancel' button.");
+        throw new CancelledException();
+      case 0x6103:
+        log.debug("User entered too short or too long PIN "
+            + "regarding MIN/MAX PIN length.");
+        throw new PINFormatException();
+      case 0x6480:
+        log.debug("SPE operation was aborted by the 'Cancel' operation "
+            + "at the host system.");
+      case 0x6b80:
+        log.info("Invalid parameter in passed structure.");
+
+      default:
+        return resp;
+      }
+      
+    } else {
+      log.debug("MODIFY using software pin entry.");
+      return channel.transmit(ISO7816Utils.createChangeReferenceDataAPDU(apduSpec, oldPin, newPin));
+    }
+    
+  }
+  
+  @Override
+  public ResponseAPDU activate(CardChannel channel,
+      NewReferenceDataAPDUSpec apduSpec, PINSpec pinSpec,
+      PINProvider provider) throws CancelledException,
+      InterruptedException, CardException, SignatureCardException {
+    
+    char[] newPin = provider.providePIN(pinSpec, -1);
+    
+    ResponseAPDU resp = null;
+    if (!disablePinpad && hasFeature(FEATURE_MODIFY_PIN_DIRECT)) {
+      log.debug("MODIFY using " + FEATURES[FEATURE_MODIFY_PIN_DIRECT] + ".");
+      byte[] s = createPINModifyStructure(apduSpec, pinSpec);
+      resp = new ResponseAPDU(modifyPinDirect(s));
+    } else if (!disablePinpad && hasFeature(FEATURE_MODIFY_PIN_START)) {
+      log.debug("MODIFY using " + FEATURES[FEATURE_MODIFY_PIN_START] + ".");
+      byte[] s = createPINModifyStructure(apduSpec, pinSpec);
+      resp = new ResponseAPDU(modifyPin(s));
+    }
+    
+    if (resp != null) {
+      
+      switch (resp.getSW()) {
+
+      case 0x6400:
+        log.debug("SPE operation timed out.");
+        throw new TimeoutException();
+      case 0x6401:
+        log.debug("SPE operation was cancelled by the 'Cancel' button.");
+        throw new CancelledException();
+      case 0x6103:
+        log.debug("User entered too short or too long PIN "
+            + "regarding MIN/MAX PIN length.");
+        throw new PINFormatException();
+      case 0x6480:
+        log.debug("SPE operation was aborted by the 'Cancel' operation "
+            + "at the host system.");
+      case 0x6b80:
+        log.info("Invalid parameter in passed structure.");
+
+      default:
+        return resp;
+      }
+      
+    } else {
+      log.debug("MODIFY using software pin entry.");
+      return channel.transmit(ISO7816Utils.createNewReferenceDataAPDU(apduSpec, newPin));
+    }
+    
+  }
+  
+  
+
+  
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/conf/SMCCConfiguration.java b/smcc/src/main/java/at/gv/egiz/smcc/conf/SMCCConfiguration.java
index 8ea49ca6..696709bd 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/conf/SMCCConfiguration.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/conf/SMCCConfiguration.java
@@ -25,6 +25,8 @@ import java.util.Properties;
  */
 public class SMCCConfiguration extends Properties {
 
+  private static final long serialVersionUID = 1L;
+
   public static final String DISABLE_PINPAD_P = "disable.pinpad";
 
   public void setDisablePinpad(String value) {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/util/ISO7816Utils.java b/smcc/src/main/java/at/gv/egiz/smcc/util/ISO7816Utils.java
new file mode 100644
index 00000000..c5c7cbc9
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/util/ISO7816Utils.java
@@ -0,0 +1,359 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.util;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.CharBuffer;
+import java.nio.charset.Charset;
+
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.ChangeReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.NewReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.SecurityStatusNotSatisfiedException;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.VerifyAPDUSpec;
+
+public class ISO7816Utils {
+  
+  public static TransparentFileInputStream openTransparentFileInputStream(
+      final CardChannel channel, int maxSize) {
+    
+    TransparentFileInputStream file = new TransparentFileInputStream(maxSize) {
+
+      @Override
+      protected byte[] readBinary(int offset, int len) throws IOException {
+
+        ResponseAPDU resp;
+        try {
+          resp = channel.transmit(new CommandAPDU(0x00, 0xB0,
+              0x7F & (offset >> 8), offset & 0xFF, len));
+        } catch (CardException e) {
+          throw new IOException(e);
+        }
+
+        Throwable cause;
+        if (resp.getSW() == 0x9000) {
+          return resp.getData();
+        } else if (resp.getSW() == 0x6982) {
+          cause = new SecurityStatusNotSatisfiedException();
+        } else {
+          cause = new SignatureCardException("Failed to read bytes (offset=" + offset + ",len="
+              + len + ") SW=" + Integer.toHexString(resp.getSW()) + ".");
+        }
+        throw new IOException(cause);
+
+      }
+      
+    };
+
+    return file;
+    
+  }
+
+  public static byte[] readTransparentFile(CardChannel channel, int maxSize)
+      throws CardException, SignatureCardException {
+    
+    TransparentFileInputStream is = openTransparentFileInputStream(channel, maxSize);
+    
+    try {
+
+      ByteArrayOutputStream os = new ByteArrayOutputStream();
+      
+      int len;
+      for (byte[] b = new byte[256]; (len = is.read(b)) != -1;) {
+        os.write(b, 0, len);
+      }
+      
+      return os.toByteArray();
+      
+    } catch (IOException e) {
+      Throwable cause = e.getCause();
+      if (cause instanceof CardException) {
+        throw (CardException) cause;
+      }
+      if (cause instanceof SignatureCardException) {
+        throw (SignatureCardException) cause;
+      }
+      throw new SignatureCardException(e);
+    }
+    
+  }
+  
+  public static byte[] readTransparentFileTLV(CardChannel channel, int maxSize,
+      byte expectedType) throws CardException, SignatureCardException {
+
+    TransparentFileInputStream is = openTransparentFileInputStream(channel,
+        maxSize);
+
+    try {
+
+      is.mark(256);
+
+      // check expected type
+      int b = is.read();
+      if (b == 0x00) {
+        return null;
+      }
+      if (b == -1 || expectedType != (0xFF & b)) {
+        throw new SignatureCardException("Unexpected TLV type. Expected "
+            + Integer.toHexString(expectedType) + " but was "
+            + Integer.toHexString(b) + ".");
+      }
+
+      // get actual length
+      int actualSize = 2;
+      b = is.read();
+      if (b == -1) {
+        return null;
+      } else if ((0x80 & b) > 0) {
+        int octets = (0x0F & b);
+        actualSize += octets;
+        for (int i = 1; i <= octets; i++) {
+          b = is.read();
+          if (b == -1) {
+            return null;
+          }
+          actualSize += (0xFF & b) << ((octets - i) * 8);
+        }
+      } else {
+        actualSize += 0xFF & b;
+      }
+
+      // set limit to actual size and read into buffer
+      is.reset();
+      is.setLimit(actualSize);
+      byte[] buf = new byte[actualSize];
+      if (is.read(buf) == actualSize) {
+        return buf;
+      } else {
+        return null;
+      }
+
+    } catch (IOException e) {
+      Throwable cause = e.getCause();
+      if (cause instanceof CardException) {
+        throw (CardException) cause;
+      }
+      if (cause instanceof SignatureCardException) {
+        throw (SignatureCardException) cause;
+      }
+      throw new SignatureCardException(e);
+    }
+
+  }
+  
+  public static int getLengthFromFCx(byte[] fcx) {
+    
+    int len = -1;
+    
+    if (fcx.length != 0 && (fcx[0] == (byte) 0x62 || fcx[0] == (byte) 0x6F)) {
+      int pos = 2;
+      while (pos < (fcx[1] - 2)) {
+        switch (fcx[pos]) {
+        
+        case (byte) 0x80: {
+          len = 0xFF & fcx[pos + 2];
+          for (int i = 1; i < fcx[pos + 1]; i++) {
+            len<<=8;
+            len+=0xFF & fcx[pos + i + 2];
+          }
+        }
+
+        default:
+          pos += 0xFF & fcx[pos + 1] + 2;
+        }
+      }
+    }
+    
+    return len;
+    
+  }
+  
+  public static byte[] readRecord(CardChannel channel, int record) throws CardException, SignatureCardException {
+    
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0xB2, record, 0x04, 256));
+    if (resp.getSW() == 0x9000) {
+      return resp.getData();
+    } else {
+      throw new SignatureCardException("Failed to read records. SW="
+          + Integer.toHexString(resp.getSW()));
+    }
+    
+  }
+
+  public static void formatPIN(int pinFormat, int pinJustification, byte[] fpin, byte[] mask, char[] pin) {
+    
+    boolean left = (pinJustification == VerifyAPDUSpec.PIN_JUSTIFICATION_LEFT);
+    
+    int j = (left) ? 0 : fpin.length - 1;
+    int step = (left) ? 1 : - 1;
+    switch (pinFormat) {
+      case VerifyAPDUSpec.PIN_FORMAT_BINARY:
+        if (fpin.length < pin.length) {
+          throw new IllegalArgumentException();
+        }
+        for (int i = 0; i < pin.length; i++) {
+          fpin[j] = (byte) Character.digit(pin[i], 10);
+          mask[j] = (byte) 0xFF;
+          j += step;
+        }
+        break;
+      
+      case VerifyAPDUSpec.PIN_FORMAT_BCD:
+        if (fpin.length * 2 < pin.length) {
+          throw new IllegalArgumentException();
+        }
+        for (int i = 0; i < pin.length; i++) {
+          int digit = Character.digit(pin[i], 10);
+          boolean h = (i % 2 == 0) ^ left;
+          fpin[j] |= h ? digit : digit << 4 ;
+          mask[j] |= h ? (byte) 0x0F : (byte) 0xF0;
+          j += (i % 2) * step;
+        }
+        break;
+  
+      case VerifyAPDUSpec.PIN_FORMAT_ASCII:
+        if (fpin.length < pin.length) {
+          throw new IllegalArgumentException();
+        }
+        byte[] asciiPin = Charset.forName("ASCII").encode(CharBuffer.wrap(pin)).array();
+        for (int i = 0; i < pin.length; i++) {
+          fpin[j] = asciiPin[i];
+          mask[j] = (byte) 0xFF;
+          j += step;
+        }
+        break;
+      }
+  
+  }
+  
+  public static void insertPIN(byte[] apdu, int pos, byte[] fpin, byte[] mask) {
+    for (int i = 0; i < fpin.length; i++) {
+      apdu[pos + i] &= ~mask[i];
+      apdu[pos + i] |= fpin[i]; 
+    }
+  }
+  
+  public static void insertPINLength(byte[] apdu, int length, int lengthSize, int pos, int offset) {
+    
+    // use short (2 byte) to be able to shift the pin length
+    // by the number of bits given by the pin length position
+    short size = (short) (0x00FF & length);
+    short sMask = (short) ((1 << lengthSize) - 1);
+    // shift to the proper position 
+    int shift = 16 - lengthSize - (pos % 8);
+    offset += (pos / 8) + 5;
+    size <<= shift;
+    sMask <<= shift;
+    // insert upper byte
+    apdu[offset] &= (0xFF & (~sMask >> 8));
+    apdu[offset] |= (0xFF & (size >> 8));
+    // insert lower byte
+    apdu[offset + 1] &= (0xFF & ~sMask);
+    apdu[offset + 1] |= (0xFF & size);
+    
+  }
+
+  public static CommandAPDU createVerifyAPDU(VerifyAPDUSpec apduSpec, char[] pin) {
+
+    // format pin
+    byte[] fpin = new byte[apduSpec.getPinLength()];
+    byte[] mask = new byte[apduSpec.getPinLength()];
+    formatPIN(apduSpec.getPinFormat(), apduSpec.getPinJustification(), fpin, mask, pin);
+
+    byte[] apdu = apduSpec.getApdu();
+
+    // insert formated pin
+    insertPIN(apdu, apduSpec.getPinPosition() + 5, fpin, mask);
+
+    // insert pin length
+    if (apduSpec.getPinLengthSize() != 0) {
+      insertPINLength(apdu, pin.length, apduSpec.getPinLengthSize(), apduSpec.getPinLengthPos(), 0);
+    }
+
+    return new CommandAPDU(apdu);
+    
+  }
+
+  public static CommandAPDU createChangeReferenceDataAPDU(
+      ChangeReferenceDataAPDUSpec apduSpec, char[] oldPin, char[] newPin) {
+    
+    // format old pin
+    byte[] fpin = new byte[apduSpec.getPinLength()];
+    byte[] mask = new byte[apduSpec.getPinLength()];
+    formatPIN(apduSpec.getPinFormat(), apduSpec.getPinJustification(), fpin, mask, oldPin);
+
+    byte[] apdu = apduSpec.getApdu();
+    
+    // insert formated old pin
+    insertPIN(apdu, apduSpec.getPinPosition() + apduSpec.getPinInsertionOffsetOld() + 5, fpin, mask);
+
+    // insert pin length
+    if (apduSpec.getPinLengthSize() != 0) {
+      insertPINLength(apdu, oldPin.length, apduSpec.getPinLengthSize(),
+          apduSpec.getPinLengthPos(), apduSpec.getPinInsertionOffsetOld());
+    }
+
+    // format new pin
+    fpin = new byte[apduSpec.getPinLength()];
+    mask = new byte[apduSpec.getPinLength()];
+    formatPIN(apduSpec.getPinFormat(), apduSpec.getPinJustification(), fpin, mask, newPin);
+    
+    // insert formated new pin
+    insertPIN(apdu, apduSpec.getPinPosition() + apduSpec.getPinInsertionOffsetNew() + 5, fpin, mask);
+
+    // insert pin length
+    if (apduSpec.getPinLengthSize() != 0) {
+      insertPINLength(apdu, newPin.length, apduSpec.getPinLengthSize(),
+          apduSpec.getPinLengthPos(), apduSpec.getPinInsertionOffsetNew());
+    }
+
+    return new CommandAPDU(apdu);
+    
+  }
+
+  public static CommandAPDU createNewReferenceDataAPDU(
+      NewReferenceDataAPDUSpec apduSpec, char[] newPin) {
+    
+    // format old pin
+    byte[] fpin = new byte[apduSpec.getPinLength()];
+    byte[] mask = new byte[apduSpec.getPinLength()];
+    formatPIN(apduSpec.getPinFormat(), apduSpec.getPinJustification(), fpin, mask, newPin);
+
+    byte[] apdu = apduSpec.getApdu();
+    
+    // insert formated new pin
+    insertPIN(apdu, apduSpec.getPinPosition() + apduSpec.getPinInsertionOffsetNew() + 5, fpin, mask);
+
+    // insert pin length
+    if (apduSpec.getPinLengthSize() != 0) {
+      insertPINLength(apdu, newPin.length, apduSpec.getPinLengthSize(),
+          apduSpec.getPinLengthPos(), apduSpec.getPinInsertionOffsetNew());
+    }
+
+    return new CommandAPDU(apdu);
+    
+  }
+
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/util/TransparentFileInputStream.java b/smcc/src/main/java/at/gv/egiz/smcc/util/TransparentFileInputStream.java
new file mode 100644
index 00000000..781f9137
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/util/TransparentFileInputStream.java
@@ -0,0 +1,194 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+public abstract class TransparentFileInputStream extends InputStream {
+  
+  private final int chunkSize = 256;
+  
+  private byte[] buf = new byte[chunkSize];
+  private int start = 0;
+  private int end = 0;
+
+  private int offset = 0;
+  
+  private int length = -1;
+  
+  private int limit = -1;
+  
+  private int mark = -1;
+  
+  private int readlimit = -1; 
+  
+  public TransparentFileInputStream() {
+  }
+  
+  public TransparentFileInputStream(int length) {
+    this.length = length;
+  }
+
+  public void setLimit(int limit) {
+    this.limit = limit;
+  }
+
+  private int fill() throws IOException {
+    if (start == end && (limit < 0 || offset < limit)) {
+        int l;
+        if (limit > 0 && limit - offset < chunkSize) {
+          l = limit - offset;
+        } else if (length > 0) {
+          if (length - offset < chunkSize) {
+            l = length - offset;
+          } else {
+            l = chunkSize - 1;
+          }
+        } else {
+          l = chunkSize;
+        }
+        byte[] b = readBinary(offset, l);
+        offset += b.length;
+        if (mark < 0) {
+          start = 0;
+          end = b.length;
+          System.arraycopy(b, 0, buf, start, b.length);
+        } else {
+          if (end - mark + b.length > buf.length) {
+            // double buffer size
+            byte[] nbuf = new byte[buf.length * 2];
+            System.arraycopy(buf, mark, nbuf, 0, end - mark);
+            buf = nbuf;
+          } else {
+            System.arraycopy(buf, mark, buf, 0, end - mark);
+          }
+          start = start - mark;
+          end = end - mark + b.length;
+          mark = 0;
+          System.arraycopy(b, 0, buf, start, b.length);
+        }
+        if (l > b.length) {
+          // end of file reached
+          setLimit(offset);
+        }
+    }
+    return end - start;
+  }
+    
+  protected abstract byte[] readBinary(int offset, int len) throws IOException;
+  
+  @Override
+  public int read() throws IOException {
+    int b = (fill() > 0) ? 0xFF & buf[start++] : -1;
+    if (readlimit > 0 && start > readlimit) {
+      mark = -1;
+      readlimit = -1;
+    }
+    return b;
+  }
+  
+  @Override
+  public int read(byte[] b, int off, int len) throws IOException {
+    if (b == null) {
+      throw new NullPointerException();
+    } else if (off < 0 || len < 0 || len > b.length - off) {
+        throw new IndexOutOfBoundsException();
+    } else if (len == 0) {
+        return 0;
+    }
+
+    int count = 0;
+    int l;
+    while (count < len) {
+      if (fill() > 0) {
+        l = Math.min(end - start, len - count);
+        System.arraycopy(buf, start, b, off, l);
+        start += l;
+        off += l;
+        count += l;
+        if (readlimit > 0 && start > readlimit) {
+          mark = -1;
+          readlimit = -1;
+        }
+      } else {
+        return (count > 0) ? count : -1;
+      }
+    }
+
+    return count;
+
+  }
+
+  @Override
+  public synchronized void mark(int readlimit) {
+    this.readlimit = readlimit;
+    mark = start;
+  }
+
+  @Override
+  public boolean markSupported() {
+    return true;
+  }
+
+  @Override
+  public synchronized void reset() throws IOException {
+    if (mark < 0) {
+      throw new IOException();
+    } else {
+      start = mark;
+    }
+  }
+
+  @Override
+  public long skip(long n) throws IOException {
+
+    if (n <= 0) {
+      return 0;
+    }
+    
+    if (n <= end - start) {
+      start += n;
+      return n;
+    } else {
+      
+      mark = -1;
+      
+      long remaining = n - (end - start);
+      start = end;
+      
+      if (limit >= 0 && limit < offset + remaining) {
+        remaining -= limit - offset;
+        offset = limit;
+        return n - remaining;
+      }
+      
+      if (length >= 0 && length < offset + remaining) {
+        remaining -= length - offset;
+        offset = length;
+        return n - remaining; 
+      }
+      
+      offset += remaining;
+      
+      return n;
+      
+    }
+    
+  }
+  
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/ACOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/ACOSCardTest.java
deleted file mode 100644
index 5839d14a..00000000
--- a/smcc/src/test/java/at/gv/egiz/smcc/ACOSCardTest.java
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
- */
-
-package at.gv.egiz.smcc;
-
-import at.gv.egiz.smcc.SignatureCard.KeyboxName;
-import at.gv.egiz.smcc.util.SMCCHelper;
-import java.util.List;
-import java.util.Locale;
-import javax.smartcardio.ResponseAPDU;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Ignore;
-import org.junit.Test;
-import static org.junit.Assert.*;
-
-/**
- *
- * @author clemens
- */
-@Ignore
-public class ACOSCardTest {
-
-  static ACOSCard card;
-  static PINSpec infPin, decPin, sigPin;
-
-    public ACOSCardTest() {
-    }
-
-  @BeforeClass
-  public static void setUpClass() throws Exception {
-    SMCCHelper smccHelper = new SMCCHelper();
-      switch (smccHelper.getResultCode()) {
-        case SMCCHelper.CARD_FOUND:
-          SignatureCard sigCard = smccHelper.getSignatureCard(Locale.GERMAN);
-          if (sigCard instanceof ACOSCard) {
-            System.out.println("ACOS card found");
-            card = (ACOSCard) sigCard;
-            List<PINSpec> pinSpecs = card.getPINSpecs();
-            infPin = pinSpecs.get(ACOSCard.PINSPEC_INF);
-            decPin = pinSpecs.get(ACOSCard.PINSPEC_DEC);
-            sigPin = pinSpecs.get(ACOSCard.PINSPEC_SIG);
-          } else {
-            throw new Exception("not STARCOS card: " + sigCard.toString());
-          }
-          break;
-        default:
-          throw new Exception("no card found");
-      }
-  }
-
-  @AfterClass
-  public static void tearDownClass() throws Exception {
-  }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
-
-
-
-  /**
-   * Test of verifyPIN method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testVerifyPIN_pinpad() throws Exception {
-    System.out.println("verifyPIN (pinpad)");
-    assertNotNull(card);
-
-    card.verifyPIN(decPin, new PINProvider() {
-
-      @Override
-      public char[] providePIN(PINSpec spec, int retries) {
-        return null;
-      }
-    });
-  }
-
-  /**
-   * Test of verifyPIN method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testVerifyPIN_internal() throws Exception {
-    System.out.println("verifyPIN (internal)");
-    assertNotNull(card);
-
-    card.reset();
-
-    card.getCard().beginExclusive();
-
-    // 0x6700 without sending an APDU prior to send CtrlCmd
-    System.out.println("WARNING: this command will fail if no card " +
-            "communication took place prior to sending the CtrlCommand");
-    int retries = card.verifyPIN(decPin.getKID(), null); //"1397".toCharArray());
-
-    System.out.println("VERIFY PIN returned " + retries);
-    card.getCard().endExclusive();
-  }
-
-  /**
-   * Test of changePIN method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testChangePIN() throws Exception {
-    System.out.println("changePIN");
-    assertNotNull(card);
-
-    card.reset();
-    int retries = card.changePIN(decPin.getKID(), null, null);
-
-    System.out.println("CHANGE PIN returned " + retries);
-  }
-
-  /**
-   * Test of reset method, of class STARCOSCard.
-   */
-  @Test
-  public void testReset() throws Exception {
-    System.out.println("reset");
-    assertNotNull(card);
-    card.reset();
-  }
-
-}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/AbstractAppl.java b/smcc/src/test/java/at/gv/egiz/smcc/AbstractAppl.java
new file mode 100644
index 00000000..137de509
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/AbstractAppl.java
@@ -0,0 +1,56 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+
+public abstract class AbstractAppl implements CardAppl {
+  
+  public final HashMap<Integer, PIN> pins = new HashMap<Integer, PIN>();
+
+  protected List<File> files = new ArrayList<File>();
+
+  public void checkINS(CommandAPDU command, int ins) {
+    if (command.getINS() != ins) {
+      throw new IllegalArgumentException("INS has to be 0x" + Integer.toHexString(ins) + ".");
+    }
+  }
+
+  @Override
+  public abstract byte[] getAID();
+
+  @Override
+  public abstract byte[] getFCI();
+  
+  public void putFile(File file) {
+    files.add(file);
+  }
+
+  public List<File> getFiles() {
+    return files;
+  }
+
+  public abstract void setPin(int kid, char[] value);
+  
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardAppl.java b/smcc/src/test/java/at/gv/egiz/smcc/CardAppl.java
new file mode 100644
index 00000000..76a3e567
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardAppl.java
@@ -0,0 +1,43 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+
+@SuppressWarnings("restriction")
+public interface CardAppl {
+  
+  public byte[] getAID();
+  
+  public byte[] getFID();
+  
+  public byte[] getFCI();
+  
+  public void leaveApplContext();
+
+  public ResponseAPDU cmdMANAGE_SECURITY_ENVIRONMENT(CommandAPDU command, CardChannelEmul channel) throws CardException;
+
+  public ResponseAPDU cmdPERFORM_SECURITY_OPERATION(CommandAPDU command, CardChannelEmul channel) throws CardException;
+
+  public ResponseAPDU cmdINTERNAL_AUTHENTICATE(CommandAPDU command, CardChannelEmul channel) throws CardException;
+
+  public void setPin(int kid, char[] value);
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardChannelEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/CardChannelEmul.java
new file mode 100644
index 00000000..bfe4e31c
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardChannelEmul.java
@@ -0,0 +1,52 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.nio.ByteBuffer;
+
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+
+@SuppressWarnings("restriction")
+public abstract class CardChannelEmul extends CardChannel {
+
+  protected AbstractAppl currentAppl = null;
+  protected File currentFile = null;
+
+  public CardChannelEmul() {
+    super();
+  }
+
+  @Override
+  public int getChannelNumber() {
+    return 0;
+  }
+
+  @Override
+  public void close() throws CardException {
+    throw new IllegalStateException("Basic logical channel cannot be closed.");
+  }
+
+  @Override
+  public int transmit(ByteBuffer command, ByteBuffer response) throws CardException {
+    byte[] responseBytes = transmit(new CommandAPDU(command)).getBytes();
+    response.put(responseBytes);
+    return responseBytes.length;
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java
new file mode 100644
index 00000000..6017bcce
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java
@@ -0,0 +1,106 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+
+
+@SuppressWarnings("restriction")
+public abstract class CardEmul extends Card {
+
+  protected Thread exclThread = null;
+  protected CardChannel channel = newCardChannel(this);
+  protected List<AbstractAppl> applications = new ArrayList<AbstractAppl>();
+
+  public CardEmul() {
+    super();
+  }
+
+  protected abstract CardChannelEmul newCardChannel(CardEmul cardEmul);
+
+  @Override
+  public void beginExclusive() throws CardException {
+    
+    if (exclThread == Thread.currentThread()) {
+      throw new CardException("Exclusive access already assigned to current thread.");
+    } else if (exclThread != null) {
+      throw new CardException("Exclusive access already assigned to another thread.");
+    }
+  
+    exclThread = Thread.currentThread();
+    
+  }
+
+  @Override
+  public void endExclusive() throws CardException {
+    
+    if (exclThread == Thread.currentThread()) {
+      exclThread = null;
+    } else if (exclThread == null) {
+      throw new CardException("Exclusive access has not been assigned.");
+    } else {
+      throw new CardException("Exclusive access has not been assigned to current thread.");
+    }
+  
+  }
+
+  @Override
+  public CardChannel getBasicChannel() {
+    return channel;
+  }
+
+  @Override
+  public void disconnect(boolean reset) throws CardException {
+    if (reset) {
+      channel = newCardChannel(this);
+    }
+  }
+
+  @Override
+  public CardChannel openLogicalChannel() throws CardException {
+    throw new CardException("Logical channels not supported.");
+  }
+
+  @Override
+  public String getProtocol() {
+    return "T1";
+  }
+
+  @Override
+  public byte[] transmitControlCommand(int arg0, byte[] arg1)
+      throws CardException {
+            throw new CardException("transmitControlCommand() not supported.");
+      }
+
+  public AbstractAppl getApplication(byte[] fid) {
+    
+    for(AbstractAppl appl : applications) {
+      if (Arrays.equals(appl.getAID(), fid) || Arrays.equals(appl.getFID(), fid)) {
+        return appl;
+      }
+    }
+    return null;
+    
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardTerminalEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/CardTerminalEmul.java
new file mode 100644
index 00000000..b13de62f
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardTerminalEmul.java
@@ -0,0 +1,64 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CardTerminal;
+
+public class CardTerminalEmul extends CardTerminal {
+  
+  private Card card;
+  
+  public CardTerminalEmul(Card card) {
+    this.card = card;
+  }
+
+  @Override
+  public Card connect(String protocol) throws CardException {
+    if ("*".equals(protocol) || "T=1".equals(protocol)) {
+      return card;
+    } else {
+      throw new CardException("Protocol '" + protocol + "' not supported.");
+    }
+  }
+
+  @Override
+  public String getName() {
+    return "CardTerminal Emulation";
+  }
+
+  @Override
+  public boolean isCardPresent() throws CardException {
+    return true;
+  }
+
+  @Override
+  public boolean waitForCardAbsent(long timeout) throws CardException {
+    try {
+      Thread.sleep(timeout);
+    } catch (InterruptedException e) {
+    }
+    return false;
+  }
+
+  @Override
+  public boolean waitForCardPresent(long timeout) throws CardException {
+    return true;
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
new file mode 100644
index 00000000..298e26a5
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
@@ -0,0 +1,298 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import static org.junit.Assert.*;
+
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.smartcardio.Card;
+
+import org.junit.Test;
+
+import at.gv.egiz.smcc.SignatureCard.KeyboxName;
+import at.gv.egiz.smcc.acos.A04ApplDEC;
+
+@SuppressWarnings("restriction")
+public abstract class CardTest {
+
+  public class TestPINProvider implements PINProvider {
+    
+    int provided = 0;
+  
+    char[] pin;
+  
+    public TestPINProvider(char[] pin) {
+      super();
+      this.pin = pin;
+    }
+  
+    @Override
+    public char[] providePIN(PINSpec spec, int retries)
+        throws CancelledException, InterruptedException {
+      provided++;
+      return pin;
+    }
+
+    public int getProvided() {
+      return provided;
+    }
+  
+  }
+
+  public class TestChangePINProvider extends TestPINProvider implements
+      ChangePINProvider {
+  
+    char[] oldPin;
+  
+    public TestChangePINProvider(char[] oldPin, char[] pin) {
+      super(pin);
+      this.oldPin = oldPin;
+    }
+  
+    @Override
+    public char[] provideOldPIN(PINSpec spec, int retries)
+        throws CancelledException, InterruptedException {
+      return oldPin;
+    }
+  
+  }
+
+  public CardTest() {
+    super();
+  }
+
+  protected abstract SignatureCard createSignatureCard()
+      throws CardNotSupportedException;
+
+  @Test
+  public void testGetCard() throws CardNotSupportedException {
+    SignatureCard signatureCard = createSignatureCard();
+    Card card = signatureCard.getCard();
+    assertNotNull(card);
+  }
+
+  @Test
+  public void testGetInfoboxIdentityLink() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    final char[] pin = "0000".toCharArray();
+    
+    SignatureCard signatureCard = createSignatureCard();
+    
+    TestPINProvider pinProvider = new TestPINProvider(pin);
+
+    byte[] idlink = signatureCard.getInfobox("IdentityLink",
+        pinProvider, null);
+    assertNotNull(idlink);
+    assertTrue(Arrays.equals(idlink, A04ApplDEC.IDLINK));
+    assertEquals(1, pinProvider.provided);
+
+  }
+
+  @Test(expected = CancelledException.class)
+  public void testSignSIGCancel() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+      
+        SignatureCard signatureCard = createSignatureCard();
+      
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+      
+        PINProvider pinProvider = new PINProvider() {
+          @Override
+          public char[] providePIN(PINSpec spec, int retries)
+              throws CancelledException, InterruptedException {
+            throw new CancelledException();
+          }
+        };
+      
+        signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+            pinProvider);
+      
+      }
+
+  @Test(expected = CancelledException.class)
+  public void testSignDECCancel() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+      
+        SignatureCard signatureCard = createSignatureCard();
+      
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+      
+        PINProvider pinProvider = new PINProvider() {
+          @Override
+          public char[] providePIN(PINSpec spec, int retries)
+              throws CancelledException, InterruptedException {
+            throw new CancelledException();
+          }
+        };
+      
+        signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
+            pinProvider);
+      
+      }
+
+  @Test(expected = InterruptedException.class)
+  public void testSignSIGInterrrupted() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+      
+        SignatureCard signatureCard = createSignatureCard();
+      
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+      
+        PINProvider pinProvider = new PINProvider() {
+          @Override
+          public char[] providePIN(PINSpec spec, int retries)
+              throws CancelledException, InterruptedException {
+            throw new InterruptedException();
+          }
+        };
+      
+        signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+            pinProvider);
+      
+      }
+
+  @Test(expected = InterruptedException.class)
+  public void testSignDECInterrrupted() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+      
+        SignatureCard signatureCard = createSignatureCard();
+      
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+      
+        PINProvider pinProvider = new PINProvider() {
+          @Override
+          public char[] providePIN(PINSpec spec, int retries)
+              throws CancelledException, InterruptedException {
+            throw new InterruptedException();
+          }
+        };
+      
+        signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
+            pinProvider);
+      
+      }
+
+  @Test(expected = CancelledException.class)
+  public void testSignSIGConcurrent() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+      
+        final SignatureCard signatureCard = createSignatureCard();
+      
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+      
+        PINProvider pinProvider = new PINProvider() {
+          @Override
+          public char[] providePIN(PINSpec spec, int retries)
+              throws CancelledException, InterruptedException {
+      
+            try {
+              signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
+              assertTrue(false);
+              return null;
+            } catch (SignatureCardException e) {
+              // expected
+              throw new CancelledException();
+            }
+      
+          }
+        };
+      
+        signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+            pinProvider);
+      
+      }
+
+  @Test(expected = CancelledException.class)
+  public void testSignDECConcurrent() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+      
+        final SignatureCard signatureCard = createSignatureCard();
+      
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+      
+        PINProvider pinProvider = new PINProvider() {
+          @Override
+          public char[] providePIN(PINSpec spec, int retries)
+              throws CancelledException, InterruptedException {
+      
+            try {
+              signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
+              assertTrue(false);
+              return null;
+            } catch (SignatureCardException e) {
+              // expected
+              throw new CancelledException();
+            }
+      
+          }
+        };
+      
+        signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
+            pinProvider);
+      
+      }
+
+  @Test
+  public void testGetPinSpecs() throws CardNotSupportedException {
+  
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
+  
+    List<PINSpec> specs = signatureCard.getPINSpecs();
+    assertNotNull(specs);
+    assertTrue(specs.size() > 0);
+  
+  }
+
+  @Test(expected = SignatureCardException.class)
+  public void testActivatePin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+      
+        PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
+      
+        PINProvider pinProvider = new PINProvider() {
+          @Override
+          public char[] providePIN(PINSpec spec, int retries)
+              throws CancelledException, InterruptedException {
+            throw new CancelledException();
+          }
+        };
+      
+        List<PINSpec> specs = signatureCard.getPINSpecs();
+      
+        signatureCard.activatePIN(specs.get(0), pinProvider);
+      }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardTestSuite.java b/smcc/src/test/java/at/gv/egiz/smcc/CardTestSuite.java
new file mode 100644
index 00000000..3c275a8d
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardTestSuite.java
@@ -0,0 +1,29 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+import org.junit.runners.Suite.SuiteClasses;
+
+import at.gv.egiz.smcc.acos.ACOSCardTestSuite;
+
+@RunWith(Suite.class)
+@SuiteClasses( { ACOSCardTestSuite.class, at.gv.egiz.smcc.starcos.STARCOSCardTest.class })
+public class CardTestSuite {
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/File.java b/smcc/src/test/java/at/gv/egiz/smcc/File.java
new file mode 100644
index 00000000..e47c5f7d
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/File.java
@@ -0,0 +1,38 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class File {
+  public byte[] fid;
+  public byte[] file;
+  public byte[] fcx;
+  public int kid = -1;
+
+  public File(byte[] fid, byte[] file, byte[] fcx) {
+    this.fid = fid;
+    this.file = file;
+    this.fcx = fcx;
+  }
+
+  public File(byte[] fid, byte[] file, byte[] fcx, int kid) {
+    this.fid = fid;
+    this.file = file;
+    this.fcx = fcx;
+    this.kid = kid;
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/PIN.java b/smcc/src/test/java/at/gv/egiz/smcc/PIN.java
new file mode 100644
index 00000000..ae883727
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/PIN.java
@@ -0,0 +1,41 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class PIN {
+  
+  public static final int STATE_RESET = 0;
+  
+  public static final int STATE_PIN_VERIFIED = 1;
+  
+  public static final int STATE_PIN_BLOCKED = -1;
+  
+  public byte[] pin;
+  
+  public int kid;
+  
+  public int state = STATE_RESET;
+  
+  public int kfpc = 10;
+
+  public PIN(byte[] pin, int kid, int kfpc) {
+    this.pin = pin;
+    this.kid = kid;
+    this.kfpc = kfpc;
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
deleted file mode 100644
index 9be8db00..00000000
--- a/smcc/src/test/java/at/gv/egiz/smcc/STARCOSCardTest.java
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
- */
-
-package at.gv.egiz.smcc;
-
-import at.gv.egiz.smcc.SignatureCard.KeyboxName;
-import at.gv.egiz.smcc.util.SMCCHelper;
-import java.util.List;
-import java.util.Locale;
-import javax.smartcardio.ResponseAPDU;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Ignore;
-import org.junit.Test;
-import static org.junit.Assert.*;
-
-/**
- *
- * @author clemens
- */
-@Ignore
-public class STARCOSCardTest {
-
-  static STARCOSCard card;
-  static PINSpec cardPin, ssPin;
-
-    public STARCOSCardTest() {
-    }
-
-  @BeforeClass
-  public static void setUpClass() throws Exception {
-    SMCCHelper smccHelper = new SMCCHelper();
-      switch (smccHelper.getResultCode()) {
-        case SMCCHelper.CARD_FOUND:
-          SignatureCard sigCard = smccHelper.getSignatureCard(Locale.GERMAN);
-          if (sigCard instanceof STARCOSCard) {
-            System.out.println("STARCOS card found");
-            card = (STARCOSCard) sigCard;
-            List<PINSpec> pinSpecs = card.getPINSpecs();
-            cardPin = pinSpecs.get(STARCOSCard.PINSPEC_CARD);
-            ssPin = pinSpecs.get(STARCOSCard.PINSPEC_SS);
-
-          } else {
-            throw new Exception("not STARCOS card: " + sigCard.toString());
-          }
-          break;
-        default:
-          throw new Exception("no card found");
-      }
-  }
-
-  @AfterClass
-  public static void tearDownClass() throws Exception {
-  }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
-
-  /**
-   * Test of getCertificate method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testGetCertificate() throws Exception {
-    System.out.println("getCertificate");
-    KeyboxName keyboxName = null;
-    STARCOSCard instance = new STARCOSCard();
-    byte[] expResult = null;
-    byte[] result = instance.getCertificate(keyboxName);
-    assertEquals(expResult, result);
-    // TODO review the generated test code and remove the default call to fail.
-    fail("The test case is a prototype.");
-  }
-
-  /**
-   * Test of getInfobox method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testGetInfobox() throws Exception {
-    System.out.println("getInfobox");
-    String infobox = "";
-    PINProvider provider = null;
-    String domainId = "";
-    STARCOSCard instance = new STARCOSCard();
-    byte[] expResult = null;
-    byte[] result = instance.getInfobox(infobox, provider, domainId);
-    assertEquals(expResult, result);
-    // TODO review the generated test code and remove the default call to fail.
-    fail("The test case is a prototype.");
-  }
-
-  /**
-   * Test of createSignature method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testCreateSignature() throws Exception {
-    System.out.println("createSignature");
-    byte[] hash = null;
-    KeyboxName keyboxName = null;
-    PINProvider provider = null;
-    STARCOSCard instance = new STARCOSCard();
-    byte[] expResult = null;
-    byte[] result = instance.createSignature(hash, keyboxName, provider);
-    assertEquals(expResult, result);
-    // TODO review the generated test code and remove the default call to fail.
-    fail("The test case is a prototype.");
-  }
-
-  /**
-   * Test of selectFileFID method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testSelectFileFID() throws Exception {
-    System.out.println("selectFileFID");
-    byte[] fid = null;
-    STARCOSCard instance = new STARCOSCard();
-    ResponseAPDU expResult = null;
-    ResponseAPDU result = instance.selectFileFID(fid);
-    assertEquals(expResult, result);
-    // TODO review the generated test code and remove the default call to fail.
-    fail("The test case is a prototype.");
-  }
-
-  /**
-   * Test of verifyPIN method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testVerifyPIN_pinpad() throws Exception {
-    System.out.println("verifyPIN (pinpad)");
-    assertNotNull(card);
-
-    card.verifyPIN(cardPin, new PINProvider() {
-
-      @Override
-      public char[] providePIN(PINSpec spec, int retries) {
-        return null;
-      }
-    });
-  }
-
-  /**
-   * Test of verifyPIN method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testVerifyPIN_internal() throws Exception {
-    System.out.println("verifyPIN (internal)");
-    assertNotNull(card);
-
-    card.reset();
-
-    card.getCard().beginExclusive();
-
-    // 0x6700 without sending an APDU prior to send CtrlCmd
-    System.out.println("WARNING: this command will fail if no card " +
-            "communication took place prior to sending the CtrlCommand");
-    int retries = card.verifyPIN(cardPin.getKID(), null); //"1397".toCharArray());
-
-    System.out.println("VERIFY PIN returned " + retries);
-    card.getCard().endExclusive();
-  }
-
-  /**
-   * Test of verifyPIN method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testVerifyPIN_byte() throws Exception {
-    System.out.println("verifyPIN");
-    byte kid = 0;
-    STARCOSCard instance = new STARCOSCard();
-    int expResult = 0;
-    int result = instance.verifyPIN(kid);
-    assertEquals(expResult, result);
-    // TODO review the generated test code and remove the default call to fail.
-    fail("The test case is a prototype.");
-  }
-
-  /**
-   * Test of changePIN method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testChangePIN() throws Exception {
-    System.out.println("changePIN");
-    assertNotNull(card);
-
-    card.reset();
-    int retries = card.changePIN(cardPin.getKID(), null, null);
-
-    System.out.println("CHANGE PIN returned " + retries);
-  }
-
-  /**
-   * Test of activatePIN method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testActivatePIN() throws Exception {
-    System.out.println("activatePIN");
-    assertNotNull(card);
-
-    card.reset();
-    card.activatePIN(cardPin, new PINProvider() {
-
-      @Override
-      public char[] providePIN(PINSpec spec, int retries) throws CancelledException, InterruptedException {
-        return null;
-      }
-    });
-  }
-
-  /**
-   * Test of encodePINBlock method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testEncodePINBlock() throws Exception {
-    System.out.println("encodePINBlock");
-    char[] pin = null;
-    STARCOSCard instance = new STARCOSCard();
-    byte[] expResult = null;
-    byte[] result = instance.encodePINBlock(pin);
-    assertEquals(expResult, result);
-    // TODO review the generated test code and remove the default call to fail.
-    fail("The test case is a prototype.");
-  }
-
-  /**
-   * Test of reset method, of class STARCOSCard.
-   */
-  @Test
-  public void testReset() throws Exception {
-    System.out.println("reset");
-    assertNotNull(card);
-    card.reset();
-  }
-
-  /**
-   * Test of toString method, of class STARCOSCard.
-   */
-  @Test
-  @Ignore
-  public void testToString() {
-    System.out.println("toString");
-    STARCOSCard instance = new STARCOSCard();
-    String expResult = "";
-    String result = instance.toString();
-    assertEquals(expResult, result);
-    // TODO review the generated test code and remove the default call to fail.
-    fail("The test case is a prototype.");
-  }
-
-}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/TransparentFileInputStreamTest.java b/smcc/src/test/java/at/gv/egiz/smcc/TransparentFileInputStreamTest.java
new file mode 100644
index 00000000..4ae48335
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/TransparentFileInputStreamTest.java
@@ -0,0 +1,208 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+import java.io.IOException;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import at.gv.egiz.smcc.util.TransparentFileInputStream;
+import static org.junit.Assert.*;
+
+public class TransparentFileInputStreamTest {
+  
+  public class TestTransparentFileInputStream extends TransparentFileInputStream {
+
+    private byte[] data;
+    
+    public TestTransparentFileInputStream(byte[] data) {
+      this.data = data;
+    }
+
+    @Override
+    protected byte[] readBinary(int offset, int len) throws IOException {
+      int l = Math.min(len, data.length - offset);
+      byte[] b = new byte[l];
+      System.arraycopy(data, offset, b, 0, l);
+      return b;
+    }
+    
+  }
+  
+  protected static byte[] file;
+  
+  protected static byte[] file_bs;
+  
+  @BeforeClass
+  public static void setUpClass() {
+    
+    byte b = 0x00;
+    file = new byte[1000];
+    for (int i = 0; i < file.length; i++) {
+      file[i] = b++;
+    }
+    
+    file_bs = new byte[256];
+    b = 0x00;
+    for (int i = 0; i < file_bs.length; i++) {
+      file_bs[i] = b++;
+    }
+    
+  }
+
+  @Test
+  public void testReadSeq() throws IOException {
+    
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file);
+    int i = 0;
+    int b; 
+    while ((b = is.read()) != -1) {
+      assertEquals(0xFF & i++, b);
+    }
+    assertEquals(file.length, i);
+    
+  }
+  
+  @Test
+  public void testReadBlock() throws IOException {
+    
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file);
+    int i = 0;
+    byte[] b = new byte[28];
+    int l;
+    while ((l = is.read(b)) != -1) {
+      for(int j = 0; j < l; j++) {
+        assertEquals(0xFF & i++, 0xFF & b[j]);
+      }
+    }
+    assertEquals(file.length, i);
+    
+  }
+
+  @Test
+  public void testReadBlockBS() throws IOException {
+    
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file_bs);
+    int i = 0;
+    byte[] b = new byte[28];
+    int l;
+    while ((l = is.read(b)) != -1) {
+      for(int j = 0; j < l; j++) {
+        assertEquals(0xFF & i++, 0xFF & b[j]);
+      }
+    }
+    assertEquals(file_bs.length, i);
+    
+  }
+  
+  @Test(expected = IOException.class)
+  public void testReset() throws IOException {
+    
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file);
+    is.read(new byte[128]);
+    is.reset();
+    
+  }
+  
+  @Test
+  public void testMark() throws IOException {
+    
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file);
+    int i = 0;
+    is.mark(12);
+    byte[] b = new byte[37];
+    int l;
+    while ((l = is.read(b)) != -1) {
+      for(int j = 0; j < l; j++) {
+        assertEquals(0xFF & i++, 0xFF & b[j]);
+      }
+    }
+    assertEquals(file.length, i);
+    
+  }
+  
+  @Test
+  public void testMarkReset() throws IOException {
+
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file);
+    int i = 128;
+    is.read(new byte[i]);
+    is.mark(512);
+    byte[] b = new byte[256];
+    is.read(b);
+    for(int j = 0; j < b.length; j++) {
+      assertEquals(0xFF & i + j, 0xFF & b[j]);
+    }
+    is.reset();
+    int l;
+    while ((l = is.read(b)) != -1) {
+      for(int j = 0; j < l; j++) {
+        assertEquals(0xFF & i++, 0xFF & b[j]);
+      }
+    }
+    assertEquals(file.length, i);
+    
+  }
+
+  
+  @Test(expected = IOException.class)
+  public void testMarkResetLimit() throws IOException {
+
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file);
+    int i = 128;
+    is.read(new byte[i]);
+    is.mark(128);
+    byte[] b = new byte[256];
+    is.read(b);
+    for(int j = 0; j < b.length; j++) {
+      assertEquals(0xFF & i + j, 0xFF & b[j]);
+    }
+    is.reset();
+    
+  }
+  
+  @Test
+  public void testSkipSmall() throws IOException {
+    
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file);
+    int i = 0;
+    i+= is.read(new byte[128]);
+    i+= is.skip(3);
+    byte[] b = new byte[256];
+    int l = is.read(b);
+    for (int j = 0; j < l; j++) {
+      assertEquals(0xFF & i + j, 0xFF & b[j]);
+    }
+    
+  }
+  @Test
+  public void testSkipBig() throws IOException {
+    
+    TransparentFileInputStream is = new TestTransparentFileInputStream(file);
+    int i = 0;
+    i+= is.read(new byte[128]);
+    i+= is.skip(300);
+    byte[] b = new byte[256];
+    int l = is.read(b);
+    for (int j = 0; j < l; j++) {
+      assertEquals(0xFF & i + j, 0xFF & b[j]);
+    }
+    
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java
new file mode 100644
index 00000000..9fd96d73
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java
@@ -0,0 +1,151 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.Random;
+
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+
+@SuppressWarnings("restriction")
+public class A03ApplDEC extends ACOSApplDEC {
+  
+  public static final int KID_PIN_INF = 0x83;
+
+  public A03ApplDEC() {
+    super();
+
+    System.arraycopy(IDLINK, 0, EF_INFOBOX, 0, IDLINK.length);
+    putFile(new File(FID_EF_INFOBOX, EF_INFOBOX, FCI_EF_INFOBOX, KID_PIN_INF));
+
+    try {
+      pins.put(KID_PIN_INF, new PIN("0000\0\0\0\0".getBytes("ASCII"), KID_PIN_INF, 10));
+    } catch (UnsupportedEncodingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  @Override
+  public ResponseAPDU cmdMANAGE_SECURITY_ENVIRONMENT(CommandAPDU command, CardChannelEmul channel) {
+
+    checkINS(command, 0x22);
+
+    switch (command.getP2()) {
+    case 0xA4:
+      switch (command.getP1()) {
+      case 0x41: {
+        // INTERNAL AUTHENTICATE
+        byte[] dst = new byte[] { (byte) 0x84, (byte) 0x01, (byte) 0x88, (byte) 0x80, (byte) 0x01, (byte) 0x01 };
+        if (Arrays.equals(dst, command.getData())) {
+          securityEnv = command.getData();
+          return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+        }
+      }
+      case 0x81:
+        // EXTERNAL AUTHENTICATE
+      }
+    case 0xB6:
+      switch (command.getP1()) {
+      case 0x41:
+        // PSO - COMPUTE DIGITAL SIGNATURE
+      case 0x81:
+        // PSO - VERIFY DGITAL SIGNATURE
+      }
+    case 0xB8:
+      switch (command.getP1()) {
+      case 0x41:
+        // PSO � DECIPHER
+      case 0x81:
+        // PSO � ENCIPHER
+      }
+    default:
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+
+  }
+
+  @Override
+  public ResponseAPDU cmdPERFORM_SECURITY_OPERATION(CommandAPDU command, CardChannelEmul channel) {
+    
+    checkINS(command, 0x2A);
+
+    return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x00});
+    
+  }
+
+  @Override
+  public ResponseAPDU cmdINTERNAL_AUTHENTICATE(CommandAPDU command, CardChannelEmul channel) {
+    
+    checkINS(command, 0x88);
+    
+    if (command.getP1() == 0x10 && command.getP2() == 0x00) {
+      
+      byte[] data = command.getData();
+      
+      if (securityEnv == null) {
+        // Security Environment not set or wrong
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+      }
+
+      byte[] digestInfo = new byte[] {
+          (byte) 0x30, (byte) 0x21, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x05, (byte) 0x2B, (byte) 0x0E, 
+          (byte) 0x03, (byte) 0x02, (byte) 0x1A, (byte) 0x05, (byte) 0x00, (byte) 0x04, (byte) 0x14
+      };
+      
+      if (data.length != 35 || !Arrays.equals(digestInfo, Arrays.copyOf(data, 15))) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      }
+        
+
+      if (pins.get(KID_PIN_DEC).state != PIN.STATE_PIN_VERIFIED) {
+        // Security Status not satisfied
+        return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+      }
+      
+      byte[] signature = new byte[48]; 
+      
+      // TODO replace by signature creation
+      Random random = new Random();
+      random.nextBytes(signature);
+      
+      byte[] response = new byte[signature.length + 2];
+      System.arraycopy(signature, 0, response, 0, signature.length);
+      response[signature.length] = (byte) 0x90;
+      response[signature.length + 1] = (byte) 0x00;
+      
+      hash = null;
+      pins.get(KID_PIN_DEC).state = PIN.STATE_RESET;
+
+      return new ResponseAPDU(response);
+        
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplSIG.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplSIG.java
new file mode 100644
index 00000000..d059ad57
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplSIG.java
@@ -0,0 +1,77 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import java.util.Arrays;
+
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+
+
+@SuppressWarnings("restriction")
+public class A03ApplSIG extends ACOSApplSIG {
+  
+  public A03ApplSIG() {
+    super();
+    System.arraycopy(C_CH_DS, 0, EF_C_CH_DS, 0, C_CH_DS.length);
+  }
+
+  @Override
+  public ResponseAPDU cmdMANAGE_SECURITY_ENVIRONMENT(CommandAPDU command, CardChannelEmul channel) {
+
+    checkINS(command, 0x22);
+
+    switch (command.getP2()) {
+    case 0xA4:
+      switch (command.getP1()) {
+      case 0x41:
+        // INTERNAL AUTHENTICATE
+      case 0x81:
+        // EXTERNAL AUTHENTICATE
+      }
+    case 0xB6:
+      switch (command.getP1()) {
+      case 0x41: {
+        // PSO - COMPUTE DIGITAL SIGNATURE
+        byte[] dst = new byte[] { (byte) 0x84, (byte) 0x01, (byte) 0x88, (byte) 0x80, (byte) 0x01, (byte) 0x14 };
+        if (Arrays.equals(dst, command.getData())) {
+          securityEnv = command.getData();
+          return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+        }
+      }
+      case 0x81:
+        // PSO - VERIFY DGITAL SIGNATURE
+      }
+    case 0xB8:
+      switch (command.getP1()) {
+      case 0x41:
+        // PSO � DECIPHER
+      case 0x81:
+        // PSO � ENCIPHER
+      }
+    default:
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+
+  }
+  
+  
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardChannelEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardChannelEmul.java
new file mode 100644
index 00000000..c8d5382c
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardChannelEmul.java
@@ -0,0 +1,98 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.PIN;
+
+
+@SuppressWarnings("restriction")
+public class A03CardChannelEmul extends ACOSCardChannelEmul {
+
+  public A03CardChannelEmul(CardEmul cardEmul) {
+    super(cardEmul);
+  }
+
+  @Override
+  public ResponseAPDU cmdREAD_BINARY(CommandAPDU command) throws CardException {
+
+    if (command.getINS() != 0xB0) {
+      throw new IllegalArgumentException("INS has to be 0xB0.");
+    }
+
+    if (currentFile == null) {
+      return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x86}); 
+    }
+    
+    if ((command.getP1() & 0x80) > 0) {
+      throw new CardException("Not implemented.");
+    }
+    
+    int offset = command.getP2() + (command.getP1() << 8);
+    if (offset > currentFile.file.length) {
+      // Wrong length
+      return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+    }
+    
+    if (command.getNe() == 0) {
+      throw new CardException("Not implemented.");
+    }
+    
+    if (currentFile.kid != -1) {
+      if ((currentFile.kid & 0x80) > 0) {
+        PIN pin;
+        if (currentAppl == null
+            || (pin = currentAppl.pins.get(currentFile.kid)) == null
+            || pin.state != PIN.STATE_PIN_VERIFIED) {
+          return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+        }
+      } else {
+        // Global PINs not implemented
+        throw new CardException("Not implemented.");
+      }
+    }
+
+    int len;
+    if (command.getNe() == 256) {
+      if (currentFile.file.length > 256) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      } else {
+        len = Math.min(command.getNe(), currentFile.file.length - offset);
+      }
+    } else {
+      if (command.getNe() >= currentFile.file.length - offset) {
+        return new ResponseAPDU(new byte[] {(byte) 0x62, (byte) 0x82});
+      } else {
+        len = command.getNe();
+      }
+    }
+    
+    byte[] response = new byte[len + 2];
+    System.arraycopy(currentFile.file, offset, response, 0, len);
+    response[len] = (byte) 0x90;
+    response[len + 1] = (byte) 0x00;
+    return new ResponseAPDU(response);
+    
+  }
+
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardEmul.java
new file mode 100644
index 00000000..58216b6b
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardEmul.java
@@ -0,0 +1,36 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.CardEmul;
+
+
+
+public class A03CardEmul extends ACOSCardEmul {
+
+  public A03CardEmul(A03ApplSIG applSIG, A03ApplDEC applDEC) {
+    applications.add(applSIG);
+    applications.add(applDEC);
+  }
+
+  @Override
+  protected CardChannelEmul newCardChannel(CardEmul cardEmul) {
+    return new A03CardChannelEmul(this);
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardTest.java
new file mode 100644
index 00000000..776c0370
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardTest.java
@@ -0,0 +1,91 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+
+import org.junit.Test;
+
+import at.gv.egiz.smcc.ACOSCard;
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.CardNotSupportedException;
+import at.gv.egiz.smcc.CardTerminalEmul;
+import at.gv.egiz.smcc.LockedException;
+import at.gv.egiz.smcc.NotActivatedException;
+import at.gv.egiz.smcc.PINFormatException;
+import at.gv.egiz.smcc.PINMgmtSignatureCard;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.SignatureCard;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.SignatureCardFactory;
+
+public class A03CardTest extends ACOSCardTest {
+
+  @Override
+  protected SignatureCard createSignatureCard()
+      throws CardNotSupportedException {
+    SignatureCardFactory factory = SignatureCardFactory.getInstance();
+    CardEmul card = new A03CardEmul(new A03ApplSIG(), new A03ApplDEC());
+    SignatureCard signatureCard = factory.createSignatureCard(card,
+        new CardTerminalEmul(card));
+    assertTrue(signatureCard instanceof PINMgmtSignatureCard);
+    return signatureCard;
+  }
+
+  @Override
+  protected int getVersion() {
+    return 1;
+  }
+
+  @Test
+  public void testChangePin() throws CardNotSupportedException,
+      LockedException, NotActivatedException, CancelledException,
+      PINFormatException, SignatureCardException, InterruptedException {
+
+    char[] defaultPin = "123456".toCharArray();
+
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplSIG applSIG = (ACOSApplSIG) card.getApplication(ACOSAppl.AID_SIG);
+    applSIG.setPin(ACOSApplSIG.KID_PIN_SIG, defaultPin);
+    ACOSApplDEC applDEC = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
+    applDEC.setPin(ACOSApplDEC.KID_PIN_DEC, defaultPin);
+    applDEC.setPin(A03ApplDEC.KID_PIN_INF, defaultPin);
+
+    for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
+
+      char[] pin = defaultPin;
+
+      for (int i = pinSpec.getMinLength(); i <= pinSpec.getMaxLength(); i++) {
+        signatureCard.verifyPIN(pinSpec, new TestPINProvider(pin));
+        char[] newPin = new char[i];
+        Arrays.fill(newPin, '0');
+        signatureCard
+            .changePIN(pinSpec, new TestChangePINProvider(pin, newPin));
+        signatureCard.verifyPIN(pinSpec, new TestPINProvider(newPin));
+        pin = newPin;
+      }
+
+    }
+
+  }
+
+  
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04ApplDEC.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04ApplDEC.java
new file mode 100644
index 00000000..e38a8e80
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04ApplDEC.java
@@ -0,0 +1,296 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import java.io.UnsupportedEncodingException;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Arrays;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+
+@SuppressWarnings("restriction")
+public class A04ApplDEC extends ACOSApplDEC {
+  
+  private static final byte[] SEC_ENV_INTERNAL_AUTHENTICATE = new byte[] { (byte) 0x84,
+      (byte) 0x01, (byte) 0x88, (byte) 0x80, (byte) 0x01, (byte) 0x01 };
+  
+  private static final byte[] SEC_ENV_DECIPHER = new byte[] { (byte) 0x84,
+      (byte) 0x01, (byte) 0x88, (byte) 0x80, (byte) 0x01, (byte) 0x02 };
+  
+  private static final RSAPrivateKey SK_CH_EKEY;
+  
+  private static final RSAPublicKey PK_CH_EKEY;
+  
+  static {
+    try {
+      KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
+      gen.initialize(1536);
+      KeyPair keyPair = gen.generateKeyPair();
+      SK_CH_EKEY = (RSAPrivateKey) keyPair.getPrivate();
+      PK_CH_EKEY = (RSAPublicKey) keyPair.getPublic();
+    } catch (NoSuchAlgorithmException e) {
+      throw new RuntimeException(e);
+    }
+  }
+  
+  public A04ApplDEC() {
+    this(false);
+  }
+
+  public A04ApplDEC(boolean encrypt) {
+    
+    int offset = 0;
+    
+    // HEADER 'AIK' + version
+    byte[] header;
+    try {
+      header = "AIK".getBytes("ASCII");
+    } catch (UnsupportedEncodingException e) {
+      throw new RuntimeException(e);
+    }
+    System.arraycopy(header, 0, EF_INFOBOX, offset, header.length);
+    offset += header.length;
+    EF_INFOBOX[offset++] = 1; 
+    
+    // HEADER identity link
+    EF_INFOBOX[offset++] = (byte) 0x01; // Personenbindung
+    if (encrypt) {
+      EF_INFOBOX[offset++] = (byte) 0x01; // Modifier
+
+      byte[] cipherText;
+      byte[] encKey;
+      try {
+        KeyGenerator keyGenerator = KeyGenerator.getInstance("DESede");
+        SecretKey secretKey = keyGenerator.generateKey();
+        
+        byte[] keyBytes = secretKey.getEncoded();
+        
+        Cipher cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
+        byte[] iv = new byte[8];
+        Arrays.fill(iv, (byte) 0x00);
+        IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec);
+        cipherText = cipher.doFinal(IDLINK);
+        
+        cipher = Cipher.getInstance("RSA");
+        cipher.init(Cipher.ENCRYPT_MODE, PK_CH_EKEY);
+        encKey = cipher.doFinal(keyBytes);
+        
+      } catch (GeneralSecurityException e) {
+        throw new RuntimeException(e);
+      }
+      
+      int len = encKey.length + cipherText.length + 2;
+      
+      EF_INFOBOX[offset++] = (byte) (0xFF & len);
+      EF_INFOBOX[offset++] = (byte) (0xFF & len >> 8);
+      
+      EF_INFOBOX[offset++] = (byte) (0xFF & encKey.length);
+      EF_INFOBOX[offset++] = (byte) (0xFF & encKey.length >> 8);
+      
+      System.arraycopy(encKey, 0, EF_INFOBOX, offset, encKey.length);
+      offset += encKey.length;
+      
+      System.arraycopy(cipherText, 0, EF_INFOBOX, offset, cipherText.length);
+      
+    } else {
+      EF_INFOBOX[offset++] = (byte) 0x00; // Modifier
+      EF_INFOBOX[offset++] = (byte) (0xFF & IDLINK.length);
+      EF_INFOBOX[offset++] = (byte) (0xFF & IDLINK.length >> 8);
+      System.arraycopy(IDLINK, 0, EF_INFOBOX, offset, IDLINK.length);
+      offset += IDLINK.length;
+    }
+    
+    putFile(new File(FID_EF_INFOBOX, EF_INFOBOX, FCI_EF_INFOBOX));
+  }
+
+  @Override
+  public ResponseAPDU cmdMANAGE_SECURITY_ENVIRONMENT(CommandAPDU command, CardChannelEmul channel) {
+
+    checkINS(command, 0x22);
+
+    switch (command.getP2()) {
+    case 0xA4:
+      switch (command.getP1()) {
+      case 0x41: {
+        // INTERNAL AUTHENTICATE
+        if (Arrays.equals(SEC_ENV_INTERNAL_AUTHENTICATE, command.getData())) {
+          securityEnv = command.getData();
+          return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x85});
+        }
+      }
+      case 0x81:
+        // EXTERNAL AUTHENTICATE
+      }
+    case 0xB6:
+      switch (command.getP1()) {
+      case 0x41:
+        // PSO - COMPUTE DIGITAL SIGNATURE
+      case 0x81:
+        // PSO - VERIFY DGITAL SIGNATURE
+      }
+    case 0xB8:
+      switch (command.getP1()) {
+      case 0x41:
+        // PSO � DECIPHER
+        if (Arrays.equals(SEC_ENV_DECIPHER, command.getData())) {
+          securityEnv = command.getData();
+          return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x85});
+        }
+      case 0x81:
+        // PSO � ENCIPHER
+      }
+    default:
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+
+  }
+
+  @Override
+  public ResponseAPDU cmdPERFORM_SECURITY_OPERATION(CommandAPDU command, CardChannelEmul channel) throws CardException {
+    
+    checkINS(command, 0x2A);
+    
+    if (command.getP1() == 0x80 && command.getP2() == 0x86) {
+      
+      byte[] data = command.getData();
+      
+      if (!Arrays.equals(securityEnv, SEC_ENV_DECIPHER)) {
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+      }
+      
+      if (data.length != 193) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      }
+      
+      if (pins.get(KID_PIN_DEC).state != PIN.STATE_PIN_VERIFIED) {
+        // Security Status not satisfied
+        return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+      }
+
+      byte[] cipherText = Arrays.copyOfRange(data, 1, data.length);
+      
+      byte[] plainText;
+      try {
+        Cipher cipher = Cipher.getInstance("RSA");
+        cipher.init(Cipher.DECRYPT_MODE, SK_CH_EKEY);
+        plainText = cipher.doFinal(cipherText);
+      } catch (GeneralSecurityException e) {
+        throw new CardException(e);
+      }
+      
+      byte[] response = new byte[plainText.length + 2];
+      System.arraycopy(plainText, 0, response, 0, plainText.length);
+      response[plainText.length] = (byte) 0x90;
+      response[plainText.length + 1] = (byte) 0x00;
+      
+      return new ResponseAPDU(response);
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x00});
+    }
+    
+  }
+
+  @Override
+  public ResponseAPDU cmdINTERNAL_AUTHENTICATE(CommandAPDU command, CardChannelEmul channel) throws CardException {
+    
+    checkINS(command, 0x88);
+    
+    if (command.getP1() == 0x10 && command.getP2() == 0x00) {
+      
+      byte[] data = command.getData();
+      
+      if (!Arrays.equals(securityEnv, SEC_ENV_INTERNAL_AUTHENTICATE)) {
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+      }
+
+      byte[] digestInfo = new byte[] {
+          (byte) 0x30, (byte) 0x21, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x05, (byte) 0x2B, (byte) 0x0E, 
+          (byte) 0x03, (byte) 0x02, (byte) 0x1A, (byte) 0x05, (byte) 0x00, (byte) 0x04, (byte) 0x14
+      };
+      
+      if (data.length != 35 || !Arrays.equals(digestInfo, Arrays.copyOf(data, 15))) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      }
+        
+
+      if (pins.get(KID_PIN_DEC).state != PIN.STATE_PIN_VERIFIED) {
+        // Security Status not satisfied
+        return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+      }
+      
+      byte[] digest = Arrays.copyOfRange(data, 15, 35);
+      
+      byte[] sig;
+      try {
+        Signature signature = Signature.getInstance("RSA");
+        signature.initSign(SK_CH_EKEY);
+        signature.update(digest);
+        sig = signature.sign();
+      } catch (GeneralSecurityException e) {
+        throw new CardException(e);
+      }
+      
+      byte[] response = new byte[sig.length + 2];
+      System.arraycopy(sig, 0, response, 0, sig.length);
+      response[sig.length] = (byte) 0x90;
+      response[sig.length + 1] = (byte) 0x00;
+      
+      hash = null;
+      pins.get(KID_PIN_DEC).state = PIN.STATE_RESET;
+
+      return new ResponseAPDU(response);
+        
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04ApplSIG.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04ApplSIG.java
new file mode 100644
index 00000000..aee6a7f7
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04ApplSIG.java
@@ -0,0 +1,87 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import java.util.Arrays;
+
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.File;
+
+
+@SuppressWarnings("restriction")
+public class A04ApplSIG extends ACOSApplSIG {
+  
+  private static byte[] FID_EF_INFO = new byte[] { (byte) 0xd0, (byte) 0x02 };
+
+  private static byte[] FCI_EF_INFO = new byte[] { (byte) 0x6f, (byte) 0x07,
+      (byte) 0x80, (byte) 0x02, (byte) 0x00, (byte) 0x08, (byte) 0x82,
+      (byte) 0x01, (byte) 0x01 };
+
+  private static byte[] EF_INFO = new byte[] { (byte) 0x02, (byte) 0x00,
+      (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
+      (byte) 0x00, (byte) 0x90, (byte) 0x00 };
+
+  public A04ApplSIG() {
+    putFile(new File(FID_EF_INFO, EF_INFO, FCI_EF_INFO));
+  }
+
+  @Override
+  public ResponseAPDU cmdMANAGE_SECURITY_ENVIRONMENT(CommandAPDU command, CardChannelEmul channel) {
+
+    checkINS(command, 0x22);
+
+    switch (command.getP2()) {
+    case 0xA4:
+      switch (command.getP1()) {
+      case 0x41:
+        // INTERNAL AUTHENTICATE
+      case 0x81:
+        // EXTERNAL AUTHENTICATE
+      }
+    case 0xB6:
+      switch (command.getP1()) {
+      case 0x41: {
+        // PSO - COMPUTE DIGITAL SIGNATURE
+        byte[] dst = new byte[] { (byte) 0x84, (byte) 0x01, (byte) 0x88, (byte) 0x80, (byte) 0x01, (byte) 0x14 };
+        if (Arrays.equals(dst, command.getData())) {
+          securityEnv = command.getData();
+          return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+        }
+      }
+      case 0x81:
+        // PSO - VERIFY DGITAL SIGNATURE
+      }
+    case 0xB8:
+      switch (command.getP1()) {
+      case 0x41:
+        // PSO � DECIPHER
+      case 0x81:
+        // PSO � ENCIPHER
+      }
+    default:
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+
+  }
+  
+  
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardChannelEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardChannelEmul.java
new file mode 100644
index 00000000..3eaece91
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardChannelEmul.java
@@ -0,0 +1,75 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardEmul;
+
+
+@SuppressWarnings("restriction")
+public class A04CardChannelEmul extends ACOSCardChannelEmul {
+
+  public A04CardChannelEmul(CardEmul cardEmul) {
+    super(cardEmul);
+  }
+
+  @Override
+  public ResponseAPDU cmdREAD_BINARY(CommandAPDU command) throws CardException {
+
+    if (command.getINS() != 0xB0) {
+      throw new IllegalArgumentException("INS has to be 0xB0.");
+    }
+
+    if (currentFile == null) {
+      return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x86}); 
+    }
+    
+    if ((command.getP1() & 0x80) > 0) {
+      throw new CardException("Not implemented.");
+    }
+    
+    int offset = command.getP2() + (command.getP1() << 8);
+    if (offset > currentFile.file.length) {
+      // Wrong length
+      return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+    }
+    
+    if (command.getNe() == 0) {
+      throw new CardException("Not implemented.");
+    }
+    
+    if (command.getNe() == 256 || command.getNe() <= currentFile.file.length - offset) {
+      int len = Math.min(command.getNe(), currentFile.file.length - offset);
+      byte[] response = new byte[len + 2];
+      System.arraycopy(currentFile.file, offset, response, 0, len);
+      response[len] = (byte) 0x90;
+      response[len + 1] = (byte) 0x00;
+      return new ResponseAPDU(response);
+    } else if (command.getNe() >= currentFile.file.length - offset) {
+      return new ResponseAPDU(new byte[] {(byte) 0x62, (byte) 0x82});
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+    }
+    
+  }
+
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardEmul.java
new file mode 100644
index 00000000..70925aa6
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardEmul.java
@@ -0,0 +1,37 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.CardEmul;
+
+
+
+public class A04CardEmul extends ACOSCardEmul {
+
+  public A04CardEmul(A04ApplSIG applSIG, A04ApplDEC applDEC) {
+    applications.add(applSIG);
+    applications.add(applDEC);
+  }
+
+  @Override
+  protected CardChannelEmul newCardChannel(CardEmul cardEmul) {
+    return new A04CardChannelEmul(this);
+  }
+
+  
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardTest.java
new file mode 100644
index 00000000..d15e80d7
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardTest.java
@@ -0,0 +1,143 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import iaik.security.provider.IAIK;
+
+import java.security.Security;
+import java.util.Arrays;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import at.gv.egiz.smcc.ACOSCard;
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.CardNotSupportedException;
+import at.gv.egiz.smcc.CardTerminalEmul;
+import at.gv.egiz.smcc.LockedException;
+import at.gv.egiz.smcc.NotActivatedException;
+import at.gv.egiz.smcc.PINFormatException;
+import at.gv.egiz.smcc.PINMgmtSignatureCard;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.SignatureCard;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.SignatureCardFactory;
+import at.gv.egiz.smcc.CardTest.TestPINProvider;
+
+public class A04CardTest extends ACOSCardTest {
+
+  @Override
+  protected SignatureCard createSignatureCard()
+      throws CardNotSupportedException {
+    SignatureCardFactory factory = SignatureCardFactory.getInstance();
+    CardEmul card = new A04CardEmul(new A04ApplSIG(), new A04ApplDEC());
+    SignatureCard signatureCard = factory.createSignatureCard(card,
+        new CardTerminalEmul(card));
+    assertTrue(signatureCard instanceof PINMgmtSignatureCard);
+    return signatureCard;
+  }
+
+  @Override
+  protected int getVersion() {
+    return 2;
+  }
+
+  @BeforeClass
+  public static void setupClass() {
+    IAIK.addAsProvider();
+  }
+  
+  @Test
+  public void testChangePin() throws CardNotSupportedException,
+      LockedException, NotActivatedException, CancelledException,
+      PINFormatException, SignatureCardException, InterruptedException {
+
+    char[] defaultPin = "123456".toCharArray();
+
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplSIG applSIG = (ACOSApplSIG) card.getApplication(ACOSAppl.AID_SIG);
+    applSIG.setPin(ACOSApplSIG.KID_PIN_SIG, defaultPin);
+    ACOSApplDEC applDEC = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
+    applDEC.setPin(ACOSApplDEC.KID_PIN_DEC, defaultPin);
+
+    for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
+
+      char[] pin = defaultPin;
+
+      for (int i = pinSpec.getMinLength(); i <= pinSpec.getMaxLength(); i++) {
+        char[] newPin = new char[i];
+        Arrays.fill(newPin, '0');
+        signatureCard
+            .changePIN(pinSpec, new TestChangePINProvider(pin, newPin));
+        signatureCard.verifyPIN(pinSpec, new TestPINProvider(newPin));
+        pin = newPin;
+      }
+
+    }
+
+  }
+  
+  @Test
+  public void testGetInfoboxIdentityLinkEncrypted()
+      throws CardNotSupportedException, SignatureCardException,
+      InterruptedException {
+    
+    char[] pin = "0000".toCharArray();
+
+    SignatureCardFactory factory = SignatureCardFactory.getInstance();
+    A04ApplDEC applDEC = new A04ApplDEC(true);
+    applDEC.setPin(A04ApplDEC.KID_PIN_DEC, pin);
+    CardEmul card = new A04CardEmul(new A04ApplSIG(), applDEC);
+    SignatureCard signatureCard = factory.createSignatureCard(card,
+        new CardTerminalEmul(card));
+
+    TestPINProvider pinProvider = new TestPINProvider(pin);
+
+    byte[] idlink = signatureCard.getInfobox("IdentityLink",
+        pinProvider, null);
+    assertNotNull(idlink);
+    assertTrue(Arrays.equals(idlink, A04ApplDEC.IDLINK));
+    assertEquals(1, pinProvider.getProvided());
+
+  }
+  
+  @Test
+  public void testGetInfoboxIdentityLink() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    final char[] pin = "0000".toCharArray();
+    
+    SignatureCard signatureCard = createSignatureCard();
+    
+    TestPINProvider pinProvider = new TestPINProvider(pin);
+
+    byte[] idlink = signatureCard.getInfobox("IdentityLink",
+        pinProvider, null);
+    assertNotNull(idlink);
+    assertTrue(Arrays.equals(idlink, A04ApplDEC.IDLINK));
+    assertEquals(0, pinProvider.getProvided());
+
+  }
+
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSAppl.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSAppl.java
new file mode 100644
index 00000000..4c340d61
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSAppl.java
@@ -0,0 +1,79 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.Iterator;
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.AbstractAppl;
+import at.gv.egiz.smcc.CardAppl;
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.PIN;
+
+@SuppressWarnings("restriction")
+public abstract class ACOSAppl extends AbstractAppl implements CardAppl {
+
+  public static byte[] AID_SIG = new byte[] { (byte) 0xA0, (byte) 0x00,
+        (byte) 0x00, (byte) 0x01, (byte) 0x18, (byte) 0x45, (byte) 0x43 };
+  
+  public static byte[] FID_SIG = new byte[] { (byte) 0xDF, (byte) 0x70 };
+  
+  public static byte[] AID_DEC = new byte[] { (byte) 0xA0, (byte) 0x00,
+        (byte) 0x00, (byte) 0x01, (byte) 0x18, (byte) 0x45, (byte) 0x4E };
+
+  public static byte[] FID_DEC = new byte[] { (byte) 0xDF, (byte) 0x71 };
+
+  protected byte[] securityEnv;
+
+  protected byte[] hash;
+
+  @Override
+  public ResponseAPDU cmdINTERNAL_AUTHENTICATE(CommandAPDU command, CardChannelEmul channel) throws CardException {
+    return new ResponseAPDU(new byte[] {(byte) 0x6D, (byte) 0x00});
+  }
+
+  @Override
+  public void leaveApplContext() {
+    Iterator<PIN> pin = pins.values().iterator();
+    while (pin.hasNext()) {
+      pin.next().state = PIN.STATE_RESET;
+    }
+  }
+  
+  public void setPin(int kid, char[] value) {
+    try {
+      PIN pin = pins.get(kid);
+      if (pin != null) {
+        if (value == null) {
+          Arrays.fill(pin.pin, (byte) 0x00);
+          pin.state = PIN.STATE_PIN_BLOCKED;
+        } else {
+          int l = pin.pin.length;
+          pin.pin = Arrays.copyOf(new String(value).getBytes("ASCII"), l);
+        }
+      }
+    } catch (UnsupportedEncodingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplDEC.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplDEC.java
new file mode 100644
index 00000000..08979536
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplDEC.java
@@ -0,0 +1,334 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+public abstract class ACOSApplDEC extends ACOSAppl {
+
+  public static final byte[] IDLINK = new byte[] {
+      (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x11, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x0c, 
+      (byte) 0x26, (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, 
+      (byte) 0x77, (byte) 0x77, (byte) 0x77, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, 
+      (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x7a, 
+      (byte) 0x6d, (byte) 0x72, (byte) 0x2f, (byte) 0x70, (byte) 0x65, (byte) 0x72, (byte) 0x73, (byte) 0x62, 
+      (byte) 0x32, (byte) 0x30, (byte) 0x34, (byte) 0x2e, (byte) 0x78, (byte) 0x73, (byte) 0x6c, (byte) 0x0c, 
+      (byte) 0x29, (byte) 0x73, (byte) 0x7a, (byte) 0x72, (byte) 0x2e, (byte) 0x62, (byte) 0x6d, (byte) 0x69, 
+      (byte) 0x2e, (byte) 0x67, (byte) 0x76, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2d, (byte) 0x41, 
+      (byte) 0x73, (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, 
+      (byte) 0x49, (byte) 0x44, (byte) 0x31, (byte) 0x32, (byte) 0x33, (byte) 0x36, (byte) 0x33, (byte) 0x35, 
+      (byte) 0x36, (byte) 0x33, (byte) 0x36, (byte) 0x36, (byte) 0x37, (byte) 0x39, (byte) 0x39, (byte) 0x39, 
+      (byte) 0x31, (byte) 0x39, (byte) 0x0c, (byte) 0x19, (byte) 0x32, (byte) 0x30, (byte) 0x30, (byte) 0x39, 
+      (byte) 0x2d, (byte) 0x30, (byte) 0x33, (byte) 0x2d, (byte) 0x30, (byte) 0x36, (byte) 0x54, (byte) 0x31, 
+      (byte) 0x36, (byte) 0x3a, (byte) 0x31, (byte) 0x39, (byte) 0x3a, (byte) 0x32, (byte) 0x36, (byte) 0x2b, 
+      (byte) 0x30, (byte) 0x31, (byte) 0x3a, (byte) 0x30, (byte) 0x30, (byte) 0xa0, (byte) 0x42, (byte) 0x30, 
+      (byte) 0x40, (byte) 0x0c, (byte) 0x18, (byte) 0x45, (byte) 0x68, (byte) 0x42, (byte) 0x53, (byte) 0x36, 
+      (byte) 0x54, (byte) 0x6f, (byte) 0x31, (byte) 0x49, (byte) 0x6c, (byte) 0x54, (byte) 0x4b, (byte) 0x4f, 
+      (byte) 0x4a, (byte) 0x45, (byte) 0x39, (byte) 0x75, (byte) 0x62, (byte) 0x74, (byte) 0x48, (byte) 0x69, 
+      (byte) 0x51, (byte) 0x3d, (byte) 0x3d, (byte) 0x0c, (byte) 0x0a, (byte) 0x58, (byte) 0x58, (byte) 0x58, 
+      (byte) 0xc5, (byte) 0x90, (byte) 0x7a, (byte) 0x67, (byte) 0xc3, (byte) 0xbc, (byte) 0x72, (byte) 0x0c, 
+      (byte) 0x0c, (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0x54, (byte) 0xc3, (byte) 0xbc, (byte) 0x7a, 
+      (byte) 0x65, (byte) 0x6b, (byte) 0xc3, (byte) 0xa7, (byte) 0x69, (byte) 0x0c, (byte) 0x0a, (byte) 0x31, 
+      (byte) 0x39, (byte) 0x37, (byte) 0x33, (byte) 0x2d, (byte) 0x30, (byte) 0x36, (byte) 0x2d, (byte) 0x30, 
+      (byte) 0x34, (byte) 0x30, (byte) 0x0a, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x00, 
+      (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x03, (byte) 0x82, (byte) 0x01, 
+      (byte) 0x01, (byte) 0x00, (byte) 0x9f, (byte) 0xa5, (byte) 0x68, (byte) 0xa9, (byte) 0x14, (byte) 0x4c, 
+      (byte) 0xa4, (byte) 0x5d, (byte) 0x9d, (byte) 0x09, (byte) 0x99, (byte) 0x2e, (byte) 0xe7, (byte) 0x45, 
+      (byte) 0x2e, (byte) 0x42, (byte) 0x49, (byte) 0x02, (byte) 0x16, (byte) 0xd9, (byte) 0xcb, (byte) 0x90, 
+      (byte) 0x43, (byte) 0x27, (byte) 0x03, (byte) 0x43, (byte) 0x6d, (byte) 0xb4, (byte) 0x8c, (byte) 0xdc, 
+      (byte) 0x1c, (byte) 0x77, (byte) 0xd4, (byte) 0x2e, (byte) 0xa1, (byte) 0x40, (byte) 0xe7, (byte) 0xe0, 
+      (byte) 0x03, (byte) 0x60, (byte) 0x15, (byte) 0xf7, (byte) 0xdb, (byte) 0x03, (byte) 0x5e, (byte) 0xca, 
+      (byte) 0xe4, (byte) 0x35, (byte) 0xba, (byte) 0x2b, (byte) 0xfd, (byte) 0xe6, (byte) 0xb8, (byte) 0xd8, 
+      (byte) 0xb7, (byte) 0x2a, (byte) 0x80, (byte) 0xdd, (byte) 0x38, (byte) 0xe0, (byte) 0x8a, (byte) 0x69, 
+      (byte) 0xad, (byte) 0x67, (byte) 0x60, (byte) 0x65, (byte) 0x42, (byte) 0xc9, (byte) 0x41, (byte) 0x60, 
+      (byte) 0x94, (byte) 0xde, (byte) 0x84, (byte) 0x54, (byte) 0xad, (byte) 0xb3, (byte) 0xf4, (byte) 0xf7, 
+      (byte) 0x44, (byte) 0xd5, (byte) 0xf3, (byte) 0xd3, (byte) 0xb6, (byte) 0x87, (byte) 0x8a, (byte) 0x22, 
+      (byte) 0x38, (byte) 0x00, (byte) 0xcb, (byte) 0xa4, (byte) 0x4f, (byte) 0x96, (byte) 0xc2, (byte) 0x28, 
+      (byte) 0xc2, (byte) 0x8d, (byte) 0x91, (byte) 0x95, (byte) 0xb4, (byte) 0xea, (byte) 0x00, (byte) 0x59, 
+      (byte) 0x2e, (byte) 0xec, (byte) 0x78, (byte) 0xd8, (byte) 0x0f, (byte) 0x26, (byte) 0x04, (byte) 0xee, 
+      (byte) 0xed, (byte) 0x13, (byte) 0xbf, (byte) 0x81, (byte) 0x68, (byte) 0x81, (byte) 0x43, (byte) 0xbe, 
+      (byte) 0x15, (byte) 0x0e, (byte) 0xba, (byte) 0xf9, (byte) 0x6a, (byte) 0x18, (byte) 0xeb, (byte) 0x95, 
+      (byte) 0xad, (byte) 0xb4, (byte) 0x0f, (byte) 0x3c, (byte) 0x94, (byte) 0x63, (byte) 0x32, (byte) 0x81, 
+      (byte) 0x90, (byte) 0xcf, (byte) 0x3f, (byte) 0x95, (byte) 0xff, (byte) 0x8d, (byte) 0x86, (byte) 0xed, 
+      (byte) 0xe4, (byte) 0x75, (byte) 0xd5, (byte) 0x09, (byte) 0x32, (byte) 0x17, (byte) 0x38, (byte) 0xb2, 
+      (byte) 0x68, (byte) 0x35, (byte) 0x49, (byte) 0x8c, (byte) 0xa6, (byte) 0xd0, (byte) 0x3e, (byte) 0xde, 
+      (byte) 0x6e, (byte) 0x47, (byte) 0x68, (byte) 0xbf, (byte) 0x98, (byte) 0x33, (byte) 0xae, (byte) 0x59, 
+      (byte) 0x9f, (byte) 0xe0, (byte) 0x19, (byte) 0x9b, (byte) 0x5b, (byte) 0x1b, (byte) 0x8f, (byte) 0x74, 
+      (byte) 0xd2, (byte) 0x9c, (byte) 0x01, (byte) 0x1a, (byte) 0xdf, (byte) 0xaf, (byte) 0xf8, (byte) 0x96, 
+      (byte) 0x91, (byte) 0xcb, (byte) 0xf8, (byte) 0xbf, (byte) 0x06, (byte) 0xc7, (byte) 0xd5, (byte) 0x17, 
+      (byte) 0x95, (byte) 0xef, (byte) 0xc5, (byte) 0x97, (byte) 0x37, (byte) 0x1b, (byte) 0xb0, (byte) 0xa1, 
+      (byte) 0x4f, (byte) 0x9f, (byte) 0x01, (byte) 0x82, (byte) 0x90, (byte) 0x4a, (byte) 0x6a, (byte) 0x04, 
+      (byte) 0xdb, (byte) 0x31, (byte) 0x1a, (byte) 0x58, (byte) 0xeb, (byte) 0xcd, (byte) 0x68, (byte) 0xe3, 
+      (byte) 0x68, (byte) 0x0b, (byte) 0xa0, (byte) 0x11, (byte) 0x44, (byte) 0x08, (byte) 0xa0, (byte) 0x5c, 
+      (byte) 0xfc, (byte) 0x61, (byte) 0x15, (byte) 0x1f, (byte) 0xbb, (byte) 0x22, (byte) 0x87, (byte) 0x18, 
+      (byte) 0xa3, (byte) 0x07, (byte) 0x9b, (byte) 0x0d, (byte) 0x13, (byte) 0x7c, (byte) 0xff, (byte) 0x30, 
+      (byte) 0xcf, (byte) 0xf3, (byte) 0xaf, (byte) 0xe4, (byte) 0x45, (byte) 0x05, (byte) 0xa0, (byte) 0x8e, 
+      (byte) 0x6b, (byte) 0xef, (byte) 0x70, (byte) 0xf5, (byte) 0x4b, (byte) 0x68, (byte) 0x8f, (byte) 0x61, 
+      (byte) 0xd6, (byte) 0xf5, (byte) 0xa0, (byte) 0x17, (byte) 0x03, (byte) 0x15, (byte) 0x00, (byte) 0x8e, 
+      (byte) 0xa8, (byte) 0xdf, (byte) 0xa9, (byte) 0x77, (byte) 0xfd, (byte) 0x9b, (byte) 0x4b, (byte) 0x91, 
+      (byte) 0x89, (byte) 0x34, (byte) 0x84, (byte) 0xf3, (byte) 0x24, (byte) 0xb2, (byte) 0x5a, (byte) 0x39, 
+      (byte) 0xa9, (byte) 0xf2, (byte) 0x17, (byte) 0xa1, (byte) 0x17, (byte) 0x03, (byte) 0x15, (byte) 0x00, 
+      (byte) 0xdb, (byte) 0xa2, (byte) 0xfd, (byte) 0xa4, (byte) 0xe7, (byte) 0x65, (byte) 0x2e, (byte) 0x7e, 
+      (byte) 0xb0, (byte) 0xc8, (byte) 0xfa, (byte) 0x4d, (byte) 0x13, (byte) 0x28, (byte) 0xdf, (byte) 0xb1, 
+      (byte) 0x58, (byte) 0x3b, (byte) 0x9e, (byte) 0x29, (byte) 0xa2, (byte) 0x17, (byte) 0x03, (byte) 0x15, 
+      (byte) 0x00, (byte) 0x68, (byte) 0xa0, (byte) 0x17, (byte) 0x18, (byte) 0xb7, (byte) 0xb3, (byte) 0xc3, 
+      (byte) 0x60, (byte) 0x77, (byte) 0x82, (byte) 0x8d, (byte) 0xf1, (byte) 0x5e, (byte) 0x10, (byte) 0xc3, 
+      (byte) 0x2d, (byte) 0x78, (byte) 0x2c, (byte) 0x11, (byte) 0x0b
+    };
+  private static byte[] FCI = new byte[] { (byte) 0x6f, (byte) 0x1a, (byte) 0x84,
+        (byte) 0x07, (byte) 0xa0, (byte) 0x00, (byte) 0x00, (byte) 0x01,
+        (byte) 0x18, (byte) 0x4e, (byte) 0x43, (byte) 0x85, (byte) 0x0f,
+        (byte) 0x50, (byte) 0x0d, (byte) 0x44, (byte) 0x49, (byte) 0x47,
+        (byte) 0x53, (byte) 0x49, (byte) 0x47, (byte) 0x20, (byte) 0x43,
+        (byte) 0x43, (byte) 0x20, (byte) 0x45, (byte) 0x4e, (byte) 0x43 };
+  protected static byte[] FID_EF_C_CH_EKEY = new byte[] { (byte) 0xc0, (byte) 0x01 };
+  protected static byte[] FCI_EF_C_CH_EKEY = new byte[] { (byte) 0x6f, (byte) 0x07,
+    (byte) 0x80, (byte) 0x02, (byte) 0x07, (byte) 0xd0, (byte) 0x82,
+    (byte) 0x01, (byte) 0x01};
+  protected static byte[] C_CH_EKEY = new byte[] {
+      (byte) 0x30, (byte) 0x82, (byte) 0x05, (byte) 0x7f, (byte) 0x30, (byte) 0x82, (byte) 0x04, (byte) 0x67, 
+      (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x02, (byte) 0x02, (byte) 0x03, (byte) 0x02, 
+      (byte) 0x05, (byte) 0x51, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 
+      (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+      (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0xa1, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, 
+      (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, 
+      (byte) 0x54, (byte) 0x31, (byte) 0x48, (byte) 0x30, (byte) 0x46, (byte) 0x06, (byte) 0x03, (byte) 0x55, 
+      (byte) 0x04, (byte) 0x0a, (byte) 0x0c, (byte) 0x3f, (byte) 0x41, (byte) 0x2d, (byte) 0x54, (byte) 0x72, 
+      (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x47, (byte) 0x65, (byte) 0x73, (byte) 0x2e, 
+      (byte) 0x20, (byte) 0x66, (byte) 0x2e, (byte) 0x20, (byte) 0x53, (byte) 0x69, (byte) 0x63, (byte) 0x68, 
+      (byte) 0x65, (byte) 0x72, (byte) 0x68, (byte) 0x65, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x73, 
+      (byte) 0x79, (byte) 0x73, (byte) 0x74, (byte) 0x65, (byte) 0x6d, (byte) 0x65, (byte) 0x20, (byte) 0x69, 
+      (byte) 0x6d, (byte) 0x20, (byte) 0x65, (byte) 0x6c, (byte) 0x65, (byte) 0x6b, (byte) 0x74, (byte) 0x72, 
+      (byte) 0x2e, (byte) 0x20, (byte) 0x44, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x6e, (byte) 0x76, 
+      (byte) 0x65, (byte) 0x72, (byte) 0x6b, (byte) 0x65, (byte) 0x68, (byte) 0x72, (byte) 0x20, (byte) 0x47, 
+      (byte) 0x6d, (byte) 0x62, (byte) 0x48, (byte) 0x31, (byte) 0x23, (byte) 0x30, (byte) 0x21, (byte) 0x06, 
+      (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0b, (byte) 0x0c, (byte) 0x1a, (byte) 0x61, (byte) 0x2d, 
+      (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, (byte) 0x65, 
+      (byte) 0x6d, (byte) 0x69, (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, 
+      (byte) 0x74, (byte) 0x2d, (byte) 0x45, (byte) 0x6e, (byte) 0x63, (byte) 0x2d, (byte) 0x30, (byte) 0x32, 
+      (byte) 0x31, (byte) 0x23, (byte) 0x30, (byte) 0x21, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 
+      (byte) 0x03, (byte) 0x0c, (byte) 0x1a, (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, 
+      (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, (byte) 0x65, (byte) 0x6d, (byte) 0x69, (byte) 0x75, 
+      (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x45, 
+      (byte) 0x6e, (byte) 0x63, (byte) 0x2d, (byte) 0x30, (byte) 0x32, (byte) 0x30, (byte) 0x1e, (byte) 0x17, 
+      (byte) 0x0d, (byte) 0x30, (byte) 0x39, (byte) 0x30, (byte) 0x31, (byte) 0x31, (byte) 0x33, (byte) 0x30, 
+      (byte) 0x39, (byte) 0x34, (byte) 0x35, (byte) 0x31, (byte) 0x32, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, 
+      (byte) 0x31, (byte) 0x32, (byte) 0x31, (byte) 0x32, (byte) 0x33, (byte) 0x31, (byte) 0x30, (byte) 0x39, 
+      (byte) 0x34, (byte) 0x35, (byte) 0x31, (byte) 0x32, (byte) 0x5a, (byte) 0x30, (byte) 0x70, (byte) 0x31, 
+      (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 
+      (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x54, (byte) 0x31, (byte) 0x1f, (byte) 0x30, (byte) 0x1d, 
+      (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, (byte) 0x0c, (byte) 0x16, (byte) 0x58, 
+      (byte) 0x58, (byte) 0x58, (byte) 0x4f, (byte) 0x74, (byte) 0x74, (byte) 0x6f, (byte) 0x20, (byte) 0x58, 
+      (byte) 0x58, (byte) 0x58, (byte) 0x4f, (byte) 0x74, (byte) 0x74, (byte) 0x61, (byte) 0x6b, (byte) 0x72, 
+      (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x65, (byte) 0x72, (byte) 0x31, (byte) 0x17, (byte) 0x30, 
+      (byte) 0x15, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x04, (byte) 0x0c, (byte) 0x0e, 
+      (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0x4f, (byte) 0x74, (byte) 0x74, (byte) 0x61, (byte) 0x6b, 
+      (byte) 0x72, (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x65, (byte) 0x72, (byte) 0x31, (byte) 0x10, 
+      (byte) 0x30, (byte) 0x0e, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x2a, (byte) 0x0c, 
+      (byte) 0x07, (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0x4f, (byte) 0x74, (byte) 0x74, (byte) 0x6f, 
+      (byte) 0x31, (byte) 0x15, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 
+      (byte) 0x05, (byte) 0x13, (byte) 0x0c, (byte) 0x39, (byte) 0x37, (byte) 0x30, (byte) 0x30, (byte) 0x31, 
+      (byte) 0x36, (byte) 0x38, (byte) 0x36, (byte) 0x36, (byte) 0x31, (byte) 0x37, (byte) 0x34, (byte) 0x30, 
+      (byte) 0x81, (byte) 0xdf, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 
+      (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x01, (byte) 0x05, 
+      (byte) 0x00, (byte) 0x03, (byte) 0x81, (byte) 0xcd, (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0xc9, 
+      (byte) 0x02, (byte) 0x81, (byte) 0xc1, (byte) 0x00, (byte) 0xae, (byte) 0xe6, (byte) 0x07, (byte) 0x1d, 
+      (byte) 0xb9, (byte) 0x56, (byte) 0x0a, (byte) 0x98, (byte) 0x1a, (byte) 0xde, (byte) 0x52, (byte) 0xf2, 
+      (byte) 0x77, (byte) 0xdc, (byte) 0x5e, (byte) 0x76, (byte) 0x7f, (byte) 0xe5, (byte) 0xc1, (byte) 0x79, 
+      (byte) 0xb9, (byte) 0x51, (byte) 0x97, (byte) 0x08, (byte) 0x20, (byte) 0x4e, (byte) 0xa6, (byte) 0xa3, 
+      (byte) 0xab, (byte) 0xdf, (byte) 0x49, (byte) 0x21, (byte) 0x2b, (byte) 0x65, (byte) 0x4f, (byte) 0x7c, 
+      (byte) 0x26, (byte) 0xe8, (byte) 0xb9, (byte) 0x47, (byte) 0xdf, (byte) 0x03, (byte) 0x0f, (byte) 0xf7, 
+      (byte) 0x4e, (byte) 0xf4, (byte) 0x47, (byte) 0x3d, (byte) 0x32, (byte) 0x61, (byte) 0x05, (byte) 0x33, 
+      (byte) 0x0f, (byte) 0xdc, (byte) 0x97, (byte) 0x3e, (byte) 0xbf, (byte) 0x9b, (byte) 0xf2, (byte) 0xf8, 
+      (byte) 0xb3, (byte) 0xe2, (byte) 0xc4, (byte) 0x4d, (byte) 0xe0, (byte) 0x48, (byte) 0x6a, (byte) 0x1b, 
+      (byte) 0xd2, (byte) 0xfe, (byte) 0xfa, (byte) 0xee, (byte) 0x24, (byte) 0x08, (byte) 0xdc, (byte) 0x60, 
+      (byte) 0x2a, (byte) 0x78, (byte) 0x6c, (byte) 0x1d, (byte) 0xd3, (byte) 0x74, (byte) 0x43, (byte) 0x1f, 
+      (byte) 0x1f, (byte) 0x4e, (byte) 0xd2, (byte) 0x0f, (byte) 0x89, (byte) 0x3c, (byte) 0xe3, (byte) 0x1e, 
+      (byte) 0xfa, (byte) 0x31, (byte) 0x5a, (byte) 0xc2, (byte) 0x04, (byte) 0x24, (byte) 0xd1, (byte) 0xe5, 
+      (byte) 0x51, (byte) 0xc4, (byte) 0x94, (byte) 0x26, (byte) 0xd1, (byte) 0x32, (byte) 0x1e, (byte) 0xdf, 
+      (byte) 0x64, (byte) 0xaa, (byte) 0xaf, (byte) 0x2c, (byte) 0x85, (byte) 0x25, (byte) 0x88, (byte) 0x8f, 
+      (byte) 0x80, (byte) 0xe4, (byte) 0x05, (byte) 0x74, (byte) 0xd5, (byte) 0xda, (byte) 0x69, (byte) 0x88, 
+      (byte) 0x4a, (byte) 0x0c, (byte) 0x6a, (byte) 0x85, (byte) 0x5f, (byte) 0x67, (byte) 0x51, (byte) 0x6c, 
+      (byte) 0x5c, (byte) 0x1c, (byte) 0x41, (byte) 0x88, (byte) 0x4c, (byte) 0xad, (byte) 0x83, (byte) 0xc9, 
+      (byte) 0x10, (byte) 0x97, (byte) 0x45, (byte) 0x00, (byte) 0x3f, (byte) 0xbd, (byte) 0x1d, (byte) 0x2f, 
+      (byte) 0x28, (byte) 0x2e, (byte) 0x78, (byte) 0x97, (byte) 0x05, (byte) 0xa5, (byte) 0x41, (byte) 0x42, 
+      (byte) 0x37, (byte) 0x08, (byte) 0x60, (byte) 0x0b, (byte) 0x66, (byte) 0xb1, (byte) 0xb8, (byte) 0xdd, 
+      (byte) 0x98, (byte) 0x03, (byte) 0x03, (byte) 0x33, (byte) 0xc9, (byte) 0x15, (byte) 0xf7, (byte) 0x5b, 
+      (byte) 0x35, (byte) 0xa5, (byte) 0xaa, (byte) 0x7a, (byte) 0x5e, (byte) 0xe9, (byte) 0xa7, (byte) 0x60, 
+      (byte) 0xba, (byte) 0xd8, (byte) 0x0d, (byte) 0x6d, (byte) 0xb3, (byte) 0x85, (byte) 0x70, (byte) 0x0e, 
+      (byte) 0x38, (byte) 0x6f, (byte) 0xf0, (byte) 0xfd, (byte) 0x02, (byte) 0x03, (byte) 0x01, (byte) 0x00, 
+      (byte) 0x01, (byte) 0xa3, (byte) 0x82, (byte) 0x02, (byte) 0x32, (byte) 0x30, (byte) 0x82, (byte) 0x02, 
+      (byte) 0x2e, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23, 
+      (byte) 0x04, (byte) 0x0c, (byte) 0x30, (byte) 0x0a, (byte) 0x80, (byte) 0x08, (byte) 0x4b, (byte) 0x5d, 
+      (byte) 0x02, (byte) 0x5c, (byte) 0x6d, (byte) 0x58, (byte) 0x24, (byte) 0x67, (byte) 0x30, (byte) 0x81, 
+      (byte) 0x84, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+      (byte) 0x07, (byte) 0x01, (byte) 0x01, (byte) 0x04, (byte) 0x78, (byte) 0x30, (byte) 0x76, (byte) 0x30, 
+      (byte) 0x2c, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+      (byte) 0x07, (byte) 0x30, (byte) 0x01, (byte) 0x86, (byte) 0x20, (byte) 0x68, (byte) 0x74, (byte) 0x74, 
+      (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x6f, (byte) 0x63, (byte) 0x73, (byte) 0x70, 
+      (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, 
+      (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, 
+      (byte) 0x2f, (byte) 0x6f, (byte) 0x63, (byte) 0x73, (byte) 0x70, (byte) 0x30, (byte) 0x46, (byte) 0x06, 
+      (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x30, 
+      (byte) 0x02, (byte) 0x86, (byte) 0x3a, (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, 
+      (byte) 0x2f, (byte) 0x2f, (byte) 0x77, (byte) 0x77, (byte) 0x77, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, 
+      (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, 
+      (byte) 0x2f, (byte) 0x63, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x73, (byte) 0x2f, (byte) 0x61, 
+      (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, 
+      (byte) 0x65, (byte) 0x6d, (byte) 0x69, (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, 
+      (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x45, (byte) 0x6e, (byte) 0x63, (byte) 0x2d, (byte) 0x30, 
+      (byte) 0x32, (byte) 0x2e, (byte) 0x63, (byte) 0x72, (byte) 0x74, (byte) 0x30, (byte) 0x81, (byte) 0x93, 
+      (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x20, (byte) 0x04, (byte) 0x81, (byte) 0x8b, 
+      (byte) 0x30, (byte) 0x81, (byte) 0x88, (byte) 0x30, (byte) 0x81, (byte) 0x85, (byte) 0x06, (byte) 0x06, 
+      (byte) 0x2a, (byte) 0x28, (byte) 0x00, (byte) 0x11, (byte) 0x01, (byte) 0x03, (byte) 0x30, (byte) 0x7b, 
+      (byte) 0x30, (byte) 0x3d, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, 
+      (byte) 0x05, (byte) 0x07, (byte) 0x02, (byte) 0x01, (byte) 0x16, (byte) 0x31, (byte) 0x68, (byte) 0x74, 
+      (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x77, (byte) 0x77, (byte) 0x77, 
+      (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, 
+      (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x64, (byte) 0x6f, (byte) 0x63, (byte) 0x73, 
+      (byte) 0x2f, (byte) 0x63, (byte) 0x70, (byte) 0x2f, (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, 
+      (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x70, (byte) 0x72, (byte) 0x65, (byte) 0x6d, (byte) 0x69, 
+      (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x30, 
+      (byte) 0x3a, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+      (byte) 0x07, (byte) 0x02, (byte) 0x02, (byte) 0x30, (byte) 0x2e, (byte) 0x1a, (byte) 0x2c, (byte) 0x44, 
+      (byte) 0x69, (byte) 0x65, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x20, (byte) 0x5a, (byte) 0x65, 
+      (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x6b, (byte) 0x61, (byte) 0x74, 
+      (byte) 0x20, (byte) 0x64, (byte) 0x69, (byte) 0x65, (byte) 0x6e, (byte) 0x74, (byte) 0x20, (byte) 0x6e, 
+      (byte) 0x75, (byte) 0x72, (byte) 0x20, (byte) 0x7a, (byte) 0x75, (byte) 0x20, (byte) 0x54, (byte) 0x65, 
+      (byte) 0x73, (byte) 0x74, (byte) 0x7a, (byte) 0x77, (byte) 0x65, (byte) 0x63, (byte) 0x6b, (byte) 0x65, 
+      (byte) 0x6e, (byte) 0x20, (byte) 0x21, (byte) 0x30, (byte) 0x81, (byte) 0xa4, (byte) 0x06, (byte) 0x03, 
+      (byte) 0x55, (byte) 0x1d, (byte) 0x1f, (byte) 0x04, (byte) 0x81, (byte) 0x9c, (byte) 0x30, (byte) 0x81, 
+      (byte) 0x99, (byte) 0x30, (byte) 0x81, (byte) 0x96, (byte) 0xa0, (byte) 0x81, (byte) 0x93, (byte) 0xa0, 
+      (byte) 0x81, (byte) 0x90, (byte) 0x86, (byte) 0x81, (byte) 0x8d, (byte) 0x6c, (byte) 0x64, (byte) 0x61, 
+      (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x6c, (byte) 0x64, (byte) 0x61, (byte) 0x70, 
+      (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, 
+      (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, 
+      (byte) 0x2f, (byte) 0x6f, (byte) 0x75, (byte) 0x3d, (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, 
+      (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, (byte) 0x65, (byte) 0x6d, (byte) 0x69, 
+      (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, 
+      (byte) 0x45, (byte) 0x6e, (byte) 0x63, (byte) 0x2d, (byte) 0x30, (byte) 0x32, (byte) 0x2c, (byte) 0x6f, 
+      (byte) 0x3d, (byte) 0x41, (byte) 0x2d, (byte) 0x54, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, 
+      (byte) 0x2c, (byte) 0x63, (byte) 0x3d, (byte) 0x41, (byte) 0x54, (byte) 0x3f, (byte) 0x63, (byte) 0x65, 
+      (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, (byte) 0x61, (byte) 0x74, 
+      (byte) 0x65, (byte) 0x72, (byte) 0x65, (byte) 0x76, (byte) 0x6f, (byte) 0x63, (byte) 0x61, (byte) 0x74, 
+      (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x6c, (byte) 0x69, (byte) 0x73, (byte) 0x74, (byte) 0x3f, 
+      (byte) 0x62, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x3f, (byte) 0x6f, (byte) 0x62, (byte) 0x6a, 
+      (byte) 0x65, (byte) 0x63, (byte) 0x74, (byte) 0x63, (byte) 0x6c, (byte) 0x61, (byte) 0x73, (byte) 0x73, 
+      (byte) 0x3d, (byte) 0x65, (byte) 0x69, (byte) 0x64, (byte) 0x43, (byte) 0x65, (byte) 0x72, (byte) 0x74, 
+      (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x69, (byte) 0x6f, 
+      (byte) 0x6e, (byte) 0x41, (byte) 0x75, (byte) 0x74, (byte) 0x68, (byte) 0x6f, (byte) 0x72, (byte) 0x69, 
+      (byte) 0x74, (byte) 0x79, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, 
+      (byte) 0x0e, (byte) 0x04, (byte) 0x0a, (byte) 0x04, (byte) 0x08, (byte) 0x4a, (byte) 0x24, (byte) 0x43, 
+      (byte) 0xc0, (byte) 0x85, (byte) 0x2a, (byte) 0xb4, (byte) 0x51, (byte) 0x30, (byte) 0x0e, (byte) 0x06, 
+      (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0f, (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x04, 
+      (byte) 0x04, (byte) 0x03, (byte) 0x02, (byte) 0x04, (byte) 0xb0, (byte) 0x30, (byte) 0x25, (byte) 0x06, 
+      (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x11, (byte) 0x04, (byte) 0x1e, (byte) 0x30, (byte) 0x1c, 
+      (byte) 0x81, (byte) 0x1a, (byte) 0x74, (byte) 0x68, (byte) 0x6f, (byte) 0x6d, (byte) 0x61, (byte) 0x73, 
+      (byte) 0x2e, (byte) 0x72, (byte) 0x6f, (byte) 0x65, (byte) 0x73, (byte) 0x73, (byte) 0x6c, (byte) 0x65, 
+      (byte) 0x72, (byte) 0x40, (byte) 0x65, (byte) 0x67, (byte) 0x69, (byte) 0x7a, (byte) 0x2e, (byte) 0x67, 
+      (byte) 0x76, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, 
+      (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00, (byte) 0x30, 
+      (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, 
+      (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x82, 
+      (byte) 0x01, (byte) 0x01, (byte) 0x00, (byte) 0x4a, (byte) 0x36, (byte) 0x02, (byte) 0xb3, (byte) 0xab, 
+      (byte) 0x02, (byte) 0xe9, (byte) 0xe1, (byte) 0xaf, (byte) 0x3f, (byte) 0xd5, (byte) 0xcd, (byte) 0x3d, 
+      (byte) 0x51, (byte) 0x08, (byte) 0xb8, (byte) 0x73, (byte) 0x23, (byte) 0x68, (byte) 0x0c, (byte) 0x22, 
+      (byte) 0x32, (byte) 0xcd, (byte) 0xbe, (byte) 0xc8, (byte) 0x77, (byte) 0xbc, (byte) 0x47, (byte) 0x37, 
+      (byte) 0xdd, (byte) 0x89, (byte) 0x7c, (byte) 0x22, (byte) 0x24, (byte) 0x2f, (byte) 0x23, (byte) 0xea, 
+      (byte) 0x3e, (byte) 0xc2, (byte) 0xf4, (byte) 0x59, (byte) 0x78, (byte) 0xa6, (byte) 0xbe, (byte) 0xcd, 
+      (byte) 0x71, (byte) 0xaa, (byte) 0xb5, (byte) 0xbc, (byte) 0xe3, (byte) 0xbc, (byte) 0x3f, (byte) 0xf1, 
+      (byte) 0xfa, (byte) 0x1a, (byte) 0x43, (byte) 0x2b, (byte) 0x91, (byte) 0x35, (byte) 0x67, (byte) 0xa5, 
+      (byte) 0x62, (byte) 0x9d, (byte) 0x55, (byte) 0x85, (byte) 0xe0, (byte) 0x3f, (byte) 0xed, (byte) 0x00, 
+      (byte) 0x67, (byte) 0x80, (byte) 0x6a, (byte) 0xfb, (byte) 0x46, (byte) 0x8a, (byte) 0xed, (byte) 0x48, 
+      (byte) 0x03, (byte) 0xe7, (byte) 0x9d, (byte) 0x5c, (byte) 0xac, (byte) 0xdf, (byte) 0xec, (byte) 0x2d, 
+      (byte) 0x53, (byte) 0x8b, (byte) 0x01, (byte) 0xdb, (byte) 0x14, (byte) 0x91, (byte) 0x21, (byte) 0xaf, 
+      (byte) 0xa7, (byte) 0x91, (byte) 0x69, (byte) 0x7e, (byte) 0x97, (byte) 0x68, (byte) 0xcc, (byte) 0x2a, 
+      (byte) 0x06, (byte) 0x1a, (byte) 0xbc, (byte) 0x53, (byte) 0x35, (byte) 0xde, (byte) 0xd7, (byte) 0x62, 
+      (byte) 0x12, (byte) 0xbd, (byte) 0x54, (byte) 0xb5, (byte) 0x4c, (byte) 0x3c, (byte) 0xaf, (byte) 0x55, 
+      (byte) 0xa4, (byte) 0x5b, (byte) 0x28, (byte) 0x61, (byte) 0x68, (byte) 0x03, (byte) 0xc6, (byte) 0x72, 
+      (byte) 0xc0, (byte) 0xa2, (byte) 0x3f, (byte) 0x84, (byte) 0x02, (byte) 0xf8, (byte) 0x3d, (byte) 0x70, 
+      (byte) 0x3f, (byte) 0xde, (byte) 0x9d, (byte) 0x6a, (byte) 0x71, (byte) 0x16, (byte) 0x87, (byte) 0x9d, 
+      (byte) 0x93, (byte) 0x3d, (byte) 0x46, (byte) 0x41, (byte) 0xa9, (byte) 0x6a, (byte) 0xca, (byte) 0x87, 
+      (byte) 0xd4, (byte) 0xd1, (byte) 0x3f, (byte) 0x1d, (byte) 0x6e, (byte) 0x6a, (byte) 0xbf, (byte) 0x02, 
+      (byte) 0x9b, (byte) 0xfb, (byte) 0x4a, (byte) 0x47, (byte) 0xe0, (byte) 0x20, (byte) 0x4a, (byte) 0x2d, 
+      (byte) 0x5a, (byte) 0x0c, (byte) 0x6b, (byte) 0x25, (byte) 0xd6, (byte) 0x2d, (byte) 0xd4, (byte) 0x53, 
+      (byte) 0x08, (byte) 0x41, (byte) 0xa9, (byte) 0x16, (byte) 0xa2, (byte) 0xa0, (byte) 0xef, (byte) 0x13, 
+      (byte) 0xa8, (byte) 0xec, (byte) 0x7e, (byte) 0x99, (byte) 0x15, (byte) 0xf9, (byte) 0x1a, (byte) 0x18, 
+      (byte) 0x5e, (byte) 0x75, (byte) 0xc7, (byte) 0x5d, (byte) 0x40, (byte) 0xd4, (byte) 0x84, (byte) 0x4a, 
+      (byte) 0xd2, (byte) 0xf7, (byte) 0x7c, (byte) 0x65, (byte) 0x12, (byte) 0xc7, (byte) 0xae, (byte) 0xbc, 
+      (byte) 0x9d, (byte) 0x3e, (byte) 0xce, (byte) 0x42, (byte) 0xfe, (byte) 0xe4, (byte) 0x98, (byte) 0x10, 
+      (byte) 0x63, (byte) 0x0d, (byte) 0xaa, (byte) 0x2d, (byte) 0x73, (byte) 0x7d, (byte) 0x46, (byte) 0x19, 
+      (byte) 0xca, (byte) 0x78, (byte) 0x94, (byte) 0xe5, (byte) 0x11, (byte) 0x83, (byte) 0x87, (byte) 0xb2, 
+      (byte) 0xf7, (byte) 0x59, (byte) 0x90, (byte) 0x47, (byte) 0x86, (byte) 0x57, (byte) 0xcf, (byte) 0xc7, 
+      (byte) 0x7b, (byte) 0x8f, (byte) 0xac, (byte) 0x20, (byte) 0xbd, (byte) 0x46, (byte) 0xea, (byte) 0xa2, 
+      (byte) 0x10, (byte) 0xe1, (byte) 0x72, (byte) 0x3e, (byte) 0xe3, (byte) 0x72, (byte) 0x20, (byte) 0x24, 
+      (byte) 0xa5, (byte) 0x2f, (byte) 0xc5
+    };
+  protected static final int KID_PIN_DEC = 0x81;
+
+  protected static byte[] FID_EF_INFOBOX = new byte[] { (byte) 0xc0, (byte) 0x02 };
+  protected static byte[] FCI_EF_INFOBOX = new byte[] { (byte) 0x6f, (byte) 0x07,
+    (byte) 0x80, (byte) 0x02, (byte) 0x05, (byte) 0xdc, (byte) 0x82,
+    (byte) 0x01, (byte) 0x01};
+  
+  protected byte[] EF_INFOBOX = new byte[1500];
+
+  protected byte[] EF_C_CH_EKEY = new byte[2000];
+  
+  public ACOSApplDEC() {
+    System.arraycopy(C_CH_EKEY, 0, EF_C_CH_EKEY, 0, C_CH_EKEY.length);
+    putFile(new File(FID_EF_C_CH_EKEY, EF_C_CH_EKEY, FCI_EF_C_CH_EKEY));
+    try {
+      pins.put(KID_PIN_DEC, new PIN("1234\0\0\0\0".getBytes("ASCII"), KID_PIN_DEC, 10));
+    } catch (UnsupportedEncodingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  @Override
+  public byte[] getAID() {
+    return AID_DEC;
+  }
+
+  @Override
+  public byte[] getFID() {
+    return FID_DEC;
+  }
+
+  @Override
+  public byte[] getFCI() {
+    return FCI;
+  }
+
+  public void clearInfobox() {
+    Arrays.fill(EF_INFOBOX, (byte) 0x00);
+  }
+  
+  public void setInfoboxHeader(byte b) {
+    EF_INFOBOX[0] = b;
+  }
+  
+  public void clearCert() {
+    Arrays.fill(EF_C_CH_EKEY, (byte) 0x00);
+  }
+
+  
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplSIG.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplSIG.java
new file mode 100644
index 00000000..e476b434
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplSIG.java
@@ -0,0 +1,302 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.Random;
+
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+@SuppressWarnings("restriction")
+public abstract class ACOSApplSIG extends ACOSAppl {
+
+  private static byte[] FCI = new byte[] { (byte) 0x6f, (byte) 0x1a,
+        (byte) 0x84, (byte) 0x07, (byte) 0xa0, (byte) 0x00, (byte) 0x00,
+        (byte) 0x01, (byte) 0x18, (byte) 0x45, (byte) 0x43, (byte) 0x85,
+        (byte) 0x0f, (byte) 0x50, (byte) 0x0d, (byte) 0x44, (byte) 0x49,
+        (byte) 0x47, (byte) 0x53, (byte) 0x49, (byte) 0x47, (byte) 0x20,
+        (byte) 0x43, (byte) 0x43, (byte) 0x20, (byte) 0x45, (byte) 0x43,
+        (byte) 0x43 };
+  protected static byte[] FID_EF_C_CH_DS = new byte[] { (byte) 0xc0, (byte) 0x02 };
+  protected static byte[] FCI_EF_C_CH_DS = new byte[] { (byte) 0x6f, (byte) 0x07,
+        (byte) 0x80, (byte) 0x02, (byte) 0x07, (byte) 0xd0, (byte) 0x82,
+        (byte) 0x01, (byte) 0x01 };
+  protected static byte[] C_CH_DS = new byte[] {
+      (byte) 0x30, (byte) 0x82, (byte) 0x05, (byte) 0x2b, (byte) 0x30, (byte) 0x82, (byte) 0x04, (byte) 0x13, 
+      (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x02, (byte) 0x02, (byte) 0x03, (byte) 0x02, 
+      (byte) 0x05, (byte) 0x52, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 
+      (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+      (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0xa1, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, 
+      (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, 
+      (byte) 0x54, (byte) 0x31, (byte) 0x48, (byte) 0x30, (byte) 0x46, (byte) 0x06, (byte) 0x03, (byte) 0x55, 
+      (byte) 0x04, (byte) 0x0a, (byte) 0x0c, (byte) 0x3f, (byte) 0x41, (byte) 0x2d, (byte) 0x54, (byte) 0x72, 
+      (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x47, (byte) 0x65, (byte) 0x73, (byte) 0x2e, 
+      (byte) 0x20, (byte) 0x66, (byte) 0x2e, (byte) 0x20, (byte) 0x53, (byte) 0x69, (byte) 0x63, (byte) 0x68, 
+      (byte) 0x65, (byte) 0x72, (byte) 0x68, (byte) 0x65, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x73, 
+      (byte) 0x79, (byte) 0x73, (byte) 0x74, (byte) 0x65, (byte) 0x6d, (byte) 0x65, (byte) 0x20, (byte) 0x69, 
+      (byte) 0x6d, (byte) 0x20, (byte) 0x65, (byte) 0x6c, (byte) 0x65, (byte) 0x6b, (byte) 0x74, (byte) 0x72, 
+      (byte) 0x2e, (byte) 0x20, (byte) 0x44, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x6e, (byte) 0x76, 
+      (byte) 0x65, (byte) 0x72, (byte) 0x6b, (byte) 0x65, (byte) 0x68, (byte) 0x72, (byte) 0x20, (byte) 0x47, 
+      (byte) 0x6d, (byte) 0x62, (byte) 0x48, (byte) 0x31, (byte) 0x23, (byte) 0x30, (byte) 0x21, (byte) 0x06, 
+      (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0b, (byte) 0x0c, (byte) 0x1a, (byte) 0x61, (byte) 0x2d, 
+      (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, (byte) 0x65, 
+      (byte) 0x6d, (byte) 0x69, (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, 
+      (byte) 0x74, (byte) 0x2d, (byte) 0x53, (byte) 0x69, (byte) 0x67, (byte) 0x2d, (byte) 0x30, (byte) 0x32, 
+      (byte) 0x31, (byte) 0x23, (byte) 0x30, (byte) 0x21, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 
+      (byte) 0x03, (byte) 0x0c, (byte) 0x1a, (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, 
+      (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, (byte) 0x65, (byte) 0x6d, (byte) 0x69, (byte) 0x75, 
+      (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x53, 
+      (byte) 0x69, (byte) 0x67, (byte) 0x2d, (byte) 0x30, (byte) 0x32, (byte) 0x30, (byte) 0x1e, (byte) 0x17, 
+      (byte) 0x0d, (byte) 0x30, (byte) 0x39, (byte) 0x30, (byte) 0x31, (byte) 0x31, (byte) 0x33, (byte) 0x30, 
+      (byte) 0x39, (byte) 0x34, (byte) 0x35, (byte) 0x31, (byte) 0x32, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, 
+      (byte) 0x31, (byte) 0x32, (byte) 0x31, (byte) 0x32, (byte) 0x33, (byte) 0x31, (byte) 0x30, (byte) 0x39, 
+      (byte) 0x34, (byte) 0x35, (byte) 0x31, (byte) 0x32, (byte) 0x5a, (byte) 0x30, (byte) 0x70, (byte) 0x31, 
+      (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 
+      (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x54, (byte) 0x31, (byte) 0x1f, (byte) 0x30, (byte) 0x1d, 
+      (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, (byte) 0x0c, (byte) 0x16, (byte) 0x58, 
+      (byte) 0x58, (byte) 0x58, (byte) 0x4f, (byte) 0x74, (byte) 0x74, (byte) 0x6f, (byte) 0x20, (byte) 0x58, 
+      (byte) 0x58, (byte) 0x58, (byte) 0x4f, (byte) 0x74, (byte) 0x74, (byte) 0x61, (byte) 0x6b, (byte) 0x72, 
+      (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x65, (byte) 0x72, (byte) 0x31, (byte) 0x17, (byte) 0x30, 
+      (byte) 0x15, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x04, (byte) 0x0c, (byte) 0x0e, 
+      (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0x4f, (byte) 0x74, (byte) 0x74, (byte) 0x61, (byte) 0x6b, 
+      (byte) 0x72, (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x65, (byte) 0x72, (byte) 0x31, (byte) 0x10, 
+      (byte) 0x30, (byte) 0x0e, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x2a, (byte) 0x0c, 
+      (byte) 0x07, (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0x4f, (byte) 0x74, (byte) 0x74, (byte) 0x6f, 
+      (byte) 0x31, (byte) 0x15, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 
+      (byte) 0x05, (byte) 0x13, (byte) 0x0c, (byte) 0x39, (byte) 0x37, (byte) 0x30, (byte) 0x30, (byte) 0x31, 
+      (byte) 0x36, (byte) 0x38, (byte) 0x36, (byte) 0x36, (byte) 0x31, (byte) 0x37, (byte) 0x34, (byte) 0x30, 
+      (byte) 0x59, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x07, (byte) 0x2a, (byte) 0x86, (byte) 0x48, 
+      (byte) 0xce, (byte) 0x3d, (byte) 0x02, (byte) 0x01, (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x86, 
+      (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0x03, (byte) 0x42, 
+      (byte) 0x00, (byte) 0x04, (byte) 0x6b, (byte) 0xde, (byte) 0x5f, (byte) 0x5e, (byte) 0xd5, (byte) 0x2b, 
+      (byte) 0xbe, (byte) 0x1e, (byte) 0xb9, (byte) 0x82, (byte) 0x19, (byte) 0x75, (byte) 0xf4, (byte) 0x3b, 
+      (byte) 0xc1, (byte) 0x34, (byte) 0xe9, (byte) 0xdb, (byte) 0x0b, (byte) 0x25, (byte) 0x31, (byte) 0x33, 
+      (byte) 0xfa, (byte) 0x8b, (byte) 0x72, (byte) 0xd4, (byte) 0x9f, (byte) 0x21, (byte) 0xf5, (byte) 0x62, 
+      (byte) 0xb9, (byte) 0xf6, (byte) 0x50, (byte) 0xdb, (byte) 0xcc, (byte) 0xbf, (byte) 0x43, (byte) 0xb9, 
+      (byte) 0x5e, (byte) 0x75, (byte) 0x2a, (byte) 0x37, (byte) 0xbe, (byte) 0x32, (byte) 0xa6, (byte) 0x83, 
+      (byte) 0xb1, (byte) 0x5c, (byte) 0xc3, (byte) 0x9d, (byte) 0xf0, (byte) 0xab, (byte) 0xe6, (byte) 0x8f, 
+      (byte) 0xe4, (byte) 0x97, (byte) 0x83, (byte) 0x57, (byte) 0x89, (byte) 0xe0, (byte) 0x13, (byte) 0xe3, 
+      (byte) 0x13, (byte) 0xa8, (byte) 0xa3, (byte) 0x82, (byte) 0x02, (byte) 0x65, (byte) 0x30, (byte) 0x82, 
+      (byte) 0x02, (byte) 0x61, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, 
+      (byte) 0x23, (byte) 0x04, (byte) 0x0c, (byte) 0x30, (byte) 0x0a, (byte) 0x80, (byte) 0x08, (byte) 0x46, 
+      (byte) 0x06, (byte) 0x9f, (byte) 0x8e, (byte) 0x41, (byte) 0x8e, (byte) 0x15, (byte) 0xbd, (byte) 0x30, 
+      (byte) 0x27, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+      (byte) 0x07, (byte) 0x01, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x04, (byte) 0x18, 
+      (byte) 0x30, (byte) 0x16, (byte) 0x30, (byte) 0x08, (byte) 0x06, (byte) 0x06, (byte) 0x04, (byte) 0x00, 
+      (byte) 0x8e, (byte) 0x46, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0a, (byte) 0x06, (byte) 0x08, 
+      (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x0b, (byte) 0x01, 
+      (byte) 0x30, (byte) 0x81, (byte) 0x84, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, 
+      (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x01, (byte) 0x01, (byte) 0x04, (byte) 0x78, (byte) 0x30, 
+      (byte) 0x76, (byte) 0x30, (byte) 0x2c, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, 
+      (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x30, (byte) 0x01, (byte) 0x86, (byte) 0x20, (byte) 0x68, 
+      (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x6f, (byte) 0x63, 
+      (byte) 0x73, (byte) 0x70, (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2e, 
+      (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, 
+      (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x6f, (byte) 0x63, (byte) 0x73, (byte) 0x70, (byte) 0x30, 
+      (byte) 0x46, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+      (byte) 0x07, (byte) 0x30, (byte) 0x02, (byte) 0x86, (byte) 0x3a, (byte) 0x68, (byte) 0x74, (byte) 0x74, 
+      (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x77, (byte) 0x77, (byte) 0x77, (byte) 0x2e, 
+      (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, 
+      (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x63, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x73, 
+      (byte) 0x2f, (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, 
+      (byte) 0x50, (byte) 0x72, (byte) 0x65, (byte) 0x6d, (byte) 0x69, (byte) 0x75, (byte) 0x6d, (byte) 0x2d, 
+      (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x53, (byte) 0x69, (byte) 0x67, 
+      (byte) 0x2d, (byte) 0x30, (byte) 0x32, (byte) 0x2e, (byte) 0x63, (byte) 0x72, (byte) 0x74, (byte) 0x30, 
+      (byte) 0x81, (byte) 0x9d, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x20, (byte) 0x04, 
+      (byte) 0x81, (byte) 0x95, (byte) 0x30, (byte) 0x81, (byte) 0x92, (byte) 0x30, (byte) 0x81, (byte) 0x85, 
+      (byte) 0x06, (byte) 0x06, (byte) 0x2a, (byte) 0x28, (byte) 0x00, (byte) 0x11, (byte) 0x01, (byte) 0x03, 
+      (byte) 0x30, (byte) 0x7b, (byte) 0x30, (byte) 0x3d, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, 
+      (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x02, (byte) 0x01, (byte) 0x16, (byte) 0x31, 
+      (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x77, 
+      (byte) 0x77, (byte) 0x77, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, 
+      (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x64, (byte) 0x6f, 
+      (byte) 0x63, (byte) 0x73, (byte) 0x2f, (byte) 0x63, (byte) 0x70, (byte) 0x2f, (byte) 0x61, (byte) 0x2d, 
+      (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x70, (byte) 0x72, (byte) 0x65, 
+      (byte) 0x6d, (byte) 0x69, (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, 
+      (byte) 0x74, (byte) 0x30, (byte) 0x3a, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, 
+      (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x02, (byte) 0x02, (byte) 0x30, (byte) 0x2e, (byte) 0x1a, 
+      (byte) 0x2c, (byte) 0x44, (byte) 0x69, (byte) 0x65, (byte) 0x73, (byte) 0x65, (byte) 0x73, (byte) 0x20, 
+      (byte) 0x5a, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x6b, 
+      (byte) 0x61, (byte) 0x74, (byte) 0x20, (byte) 0x64, (byte) 0x69, (byte) 0x65, (byte) 0x6e, (byte) 0x74, 
+      (byte) 0x20, (byte) 0x6e, (byte) 0x75, (byte) 0x72, (byte) 0x20, (byte) 0x7a, (byte) 0x75, (byte) 0x20, 
+      (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x7a, (byte) 0x77, (byte) 0x65, (byte) 0x63, 
+      (byte) 0x6b, (byte) 0x65, (byte) 0x6e, (byte) 0x20, (byte) 0x21, (byte) 0x30, (byte) 0x08, (byte) 0x06, 
+      (byte) 0x06, (byte) 0x04, (byte) 0x00, (byte) 0x8b, (byte) 0x30, (byte) 0x01, (byte) 0x01, (byte) 0x30, 
+      (byte) 0x81, (byte) 0xa4, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x1f, (byte) 0x04, 
+      (byte) 0x81, (byte) 0x9c, (byte) 0x30, (byte) 0x81, (byte) 0x99, (byte) 0x30, (byte) 0x81, (byte) 0x96, 
+      (byte) 0xa0, (byte) 0x81, (byte) 0x93, (byte) 0xa0, (byte) 0x81, (byte) 0x90, (byte) 0x86, (byte) 0x81, 
+      (byte) 0x8d, (byte) 0x6c, (byte) 0x64, (byte) 0x61, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, 
+      (byte) 0x6c, (byte) 0x64, (byte) 0x61, (byte) 0x70, (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, 
+      (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, 
+      (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x6f, (byte) 0x75, (byte) 0x3d, 
+      (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x50, 
+      (byte) 0x72, (byte) 0x65, (byte) 0x6d, (byte) 0x69, (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x54, 
+      (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x53, (byte) 0x69, (byte) 0x67, (byte) 0x2d, 
+      (byte) 0x30, (byte) 0x32, (byte) 0x2c, (byte) 0x6f, (byte) 0x3d, (byte) 0x41, (byte) 0x2d, (byte) 0x54, 
+      (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2c, (byte) 0x63, (byte) 0x3d, (byte) 0x41, 
+      (byte) 0x54, (byte) 0x3f, (byte) 0x63, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, 
+      (byte) 0x69, (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x65, (byte) 0x76, 
+      (byte) 0x6f, (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x6c, 
+      (byte) 0x69, (byte) 0x73, (byte) 0x74, (byte) 0x3f, (byte) 0x62, (byte) 0x61, (byte) 0x73, (byte) 0x65, 
+      (byte) 0x3f, (byte) 0x6f, (byte) 0x62, (byte) 0x6a, (byte) 0x65, (byte) 0x63, (byte) 0x74, (byte) 0x63, 
+      (byte) 0x6c, (byte) 0x61, (byte) 0x73, (byte) 0x73, (byte) 0x3d, (byte) 0x65, (byte) 0x69, (byte) 0x64, 
+      (byte) 0x43, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, 
+      (byte) 0x61, (byte) 0x74, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x41, (byte) 0x75, (byte) 0x74, 
+      (byte) 0x68, (byte) 0x6f, (byte) 0x72, (byte) 0x69, (byte) 0x74, (byte) 0x79, (byte) 0x30, (byte) 0x11, 
+      (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x0a, (byte) 0x04, 
+      (byte) 0x08, (byte) 0x46, (byte) 0x08, (byte) 0xda, (byte) 0x9e, (byte) 0x68, (byte) 0xf8, (byte) 0xe5, 
+      (byte) 0x81, (byte) 0x30, (byte) 0x0e, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0f, 
+      (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x04, (byte) 0x04, (byte) 0x03, (byte) 0x02, (byte) 0x06, 
+      (byte) 0xc0, (byte) 0x30, (byte) 0x25, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x11, 
+      (byte) 0x04, (byte) 0x1e, (byte) 0x30, (byte) 0x1c, (byte) 0x81, (byte) 0x1a, (byte) 0x74, (byte) 0x68, 
+      (byte) 0x6f, (byte) 0x6d, (byte) 0x61, (byte) 0x73, (byte) 0x2e, (byte) 0x72, (byte) 0x6f, (byte) 0x65, 
+      (byte) 0x73, (byte) 0x73, (byte) 0x6c, (byte) 0x65, (byte) 0x72, (byte) 0x40, (byte) 0x65, (byte) 0x67, 
+      (byte) 0x69, (byte) 0x7a, (byte) 0x2e, (byte) 0x67, (byte) 0x76, (byte) 0x2e, (byte) 0x61, (byte) 0x74, 
+      (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, 
+      (byte) 0x02, (byte) 0x30, (byte) 0x00, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, 
+      (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, 
+      (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x82, (byte) 0x01, (byte) 0x01, (byte) 0x00, (byte) 0xd8, 
+      (byte) 0xec, (byte) 0xe5, (byte) 0x5c, (byte) 0x17, (byte) 0x42, (byte) 0xe8, (byte) 0x2f, (byte) 0x04, 
+      (byte) 0x1f, (byte) 0xe2, (byte) 0x04, (byte) 0x57, (byte) 0x07, (byte) 0x30, (byte) 0xdc, (byte) 0x4f, 
+      (byte) 0x61, (byte) 0x7d, (byte) 0xd8, (byte) 0x89, (byte) 0x36, (byte) 0x31, (byte) 0x26, (byte) 0x45, 
+      (byte) 0x55, (byte) 0x64, (byte) 0xd3, (byte) 0x55, (byte) 0x1b, (byte) 0x83, (byte) 0x51, (byte) 0xa0, 
+      (byte) 0x39, (byte) 0x1b, (byte) 0x6a, (byte) 0x7e, (byte) 0xfa, (byte) 0x7e, (byte) 0x2c, (byte) 0xd0, 
+      (byte) 0xd3, (byte) 0x86, (byte) 0x7b, (byte) 0x8d, (byte) 0x29, (byte) 0x8f, (byte) 0xa3, (byte) 0x83, 
+      (byte) 0xd2, (byte) 0x72, (byte) 0xce, (byte) 0x43, (byte) 0xcf, (byte) 0xc1, (byte) 0x27, (byte) 0xf1, 
+      (byte) 0x4d, (byte) 0x11, (byte) 0xe2, (byte) 0x67, (byte) 0xbe, (byte) 0x6e, (byte) 0x34, (byte) 0x7d, 
+      (byte) 0x04, (byte) 0x1f, (byte) 0xba, (byte) 0x55, (byte) 0x34, (byte) 0xea, (byte) 0xc2, (byte) 0xcf, 
+      (byte) 0x0f, (byte) 0x64, (byte) 0x7b, (byte) 0x84, (byte) 0xe0, (byte) 0x55, (byte) 0x05, (byte) 0x82, 
+      (byte) 0xdd, (byte) 0x9d, (byte) 0xd7, (byte) 0xeb, (byte) 0x91, (byte) 0x78, (byte) 0x69, (byte) 0x49, 
+      (byte) 0x58, (byte) 0x70, (byte) 0xff, (byte) 0x83, (byte) 0x70, (byte) 0xa0, (byte) 0xb3, (byte) 0xb7, 
+      (byte) 0x3d, (byte) 0x0f, (byte) 0x8e, (byte) 0xe9, (byte) 0x1b, (byte) 0x21, (byte) 0xef, (byte) 0x31, 
+      (byte) 0x0b, (byte) 0xe3, (byte) 0xac, (byte) 0xc6, (byte) 0x0f, (byte) 0x57, (byte) 0x4f, (byte) 0xd8, 
+      (byte) 0xd6, (byte) 0xb2, (byte) 0xd0, (byte) 0xca, (byte) 0xd9, (byte) 0x6f, (byte) 0x3f, (byte) 0x6e, 
+      (byte) 0x83, (byte) 0x8c, (byte) 0xff, (byte) 0x47, (byte) 0xca, (byte) 0xbc, (byte) 0x81, (byte) 0x60, 
+      (byte) 0x5f, (byte) 0xe2, (byte) 0xdd, (byte) 0xbd, (byte) 0x89, (byte) 0xb2, (byte) 0x52, (byte) 0xac, 
+      (byte) 0xc3, (byte) 0x8b, (byte) 0x44, (byte) 0x99, (byte) 0x70, (byte) 0xe7, (byte) 0x2c, (byte) 0x52, 
+      (byte) 0x21, (byte) 0xaa, (byte) 0xa2, (byte) 0x0f, (byte) 0x38, (byte) 0xc6, (byte) 0x98, (byte) 0x4d, 
+      (byte) 0x48, (byte) 0xda, (byte) 0x65, (byte) 0x41, (byte) 0xa4, (byte) 0xad, (byte) 0x41, (byte) 0x7c, 
+      (byte) 0x99, (byte) 0x14, (byte) 0xe5, (byte) 0xcb, (byte) 0x51, (byte) 0xd7, (byte) 0xab, (byte) 0x76, 
+      (byte) 0xb1, (byte) 0x20, (byte) 0xce, (byte) 0x32, (byte) 0x1b, (byte) 0x11, (byte) 0x5c, (byte) 0xef, 
+      (byte) 0x8b, (byte) 0x4f, (byte) 0xf3, (byte) 0x46, (byte) 0x5b, (byte) 0x11, (byte) 0xd7, (byte) 0x91, 
+      (byte) 0xb6, (byte) 0x41, (byte) 0xd3, (byte) 0x23, (byte) 0xb6, (byte) 0x03, (byte) 0xa8, (byte) 0x98, 
+      (byte) 0x40, (byte) 0x76, (byte) 0x13, (byte) 0x5d, (byte) 0x4c, (byte) 0xb2, (byte) 0xe9, (byte) 0xfe, 
+      (byte) 0x90, (byte) 0x27, (byte) 0x04, (byte) 0xfc, (byte) 0x10, (byte) 0x45, (byte) 0x8b, (byte) 0x10, 
+      (byte) 0xc3, (byte) 0xb2, (byte) 0x4b, (byte) 0x3c, (byte) 0xd2, (byte) 0x5b, (byte) 0x0f, (byte) 0xe8, 
+      (byte) 0xfb, (byte) 0xb9, (byte) 0x45, (byte) 0xaf, (byte) 0x05, (byte) 0xc4, (byte) 0xba, (byte) 0xc7, 
+      (byte) 0xfc, (byte) 0xa5, (byte) 0x7d, (byte) 0xdb, (byte) 0x4f, (byte) 0xa9, (byte) 0x76, (byte) 0xe2, 
+      (byte) 0xfa, (byte) 0xc7, (byte) 0xe0, (byte) 0xad, (byte) 0x70, (byte) 0xaa, (byte) 0x40, (byte) 0x15, 
+      (byte) 0x64, (byte) 0x01, (byte) 0xba, (byte) 0xc6, (byte) 0xc3, (byte) 0x83, (byte) 0x65, (byte) 0x95, 
+      (byte) 0x3c, (byte) 0x05, (byte) 0x53, (byte) 0x88, (byte) 0xe7, (byte) 0x19, (byte) 0x98
+    };
+  
+  protected static final int KID_PIN_SIG = 0x81;
+
+  protected byte[] EF_C_CH_DS = new byte[2000];
+  
+  public ACOSApplSIG() {
+    // Files
+    System.arraycopy(C_CH_DS, 0, EF_C_CH_DS, 0, C_CH_DS.length);
+    putFile(new File(FID_EF_C_CH_DS, EF_C_CH_DS, FCI_EF_C_CH_DS));
+    
+    // PINs
+    try {
+      pins.put(KID_PIN_SIG, new PIN(Arrays.copyOf("123456".getBytes("ASCII"), 8), KID_PIN_SIG, 3));
+    } catch (UnsupportedEncodingException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  @Override
+  public byte[] getAID() {
+    return AID_SIG;
+  }
+
+  @Override
+  public byte[] getFID() {
+    return FID_SIG;
+  }
+
+  @Override
+  public byte[] getFCI() {
+    return FCI;
+  }
+
+  @Override
+  public ResponseAPDU cmdPERFORM_SECURITY_OPERATION(CommandAPDU command, CardChannelEmul channel) {
+    
+    checkINS(command, 0x2A);
+  
+    if (command.getP1() == 0x90 && command.getP2() == 0x81) {
+      
+      // PUT HASH
+      hash = command.getData();
+      return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+      
+    } else if (command.getP1() == 0x9E && command.getP2() == 0x9A) {
+      
+      // COMPUTE DIGITAL SIGNATURE
+      if (securityEnv == null) {
+        // No security environment
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+      }
+      if (hash == null) {
+        // Command sequence not correct
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x03});
+      }
+      if (hash.length != 20) {
+        // Invalid hash length
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x80});
+      }
+      if (pins.get(KID_PIN_SIG).state != PIN.STATE_PIN_VERIFIED) {
+        // Security Status not satisfied
+        return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+      }
+      
+      byte[] signature = new byte[48]; 
+      
+      // TODO replace by signature creation
+      Random random = new Random();
+      random.nextBytes(signature);
+      
+      byte[] response = new byte[signature.length + 2];
+      System.arraycopy(signature, 0, response, 0, signature.length);
+      response[signature.length] = (byte) 0x90;
+      response[signature.length + 1] = (byte) 0x00;
+      
+      hash = null;
+      pins.get(KID_PIN_SIG).state = PIN.STATE_RESET;
+      
+      return new ResponseAPDU(response);
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x00});
+    }
+    
+  }
+  
+  public void clearCert() {
+    Arrays.fill(EF_C_CH_DS, (byte) 0x00);
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardChannelEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardChannelEmul.java
new file mode 100644
index 00000000..25923686
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardChannelEmul.java
@@ -0,0 +1,261 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import java.util.Arrays;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.AbstractAppl;
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+@SuppressWarnings("restriction")
+public abstract class ACOSCardChannelEmul extends CardChannelEmul {
+
+  /**
+   * 
+   */
+  protected CardEmul cardEmul;
+
+  public ACOSCardChannelEmul(CardEmul cardEmul) {
+    this.cardEmul = cardEmul;
+  }
+
+  @Override
+  public Card getCard() {
+    return cardEmul;
+  }
+
+  protected ResponseAPDU cmdSELECT(CommandAPDU command) throws CardException {
+  
+    byte[] fid = command.getData();
+    
+    AbstractAppl appl = cardEmul.getApplication(fid);
+    if (appl != null) {
+      if (currentAppl != null && currentAppl != appl) {
+        currentAppl.leaveApplContext();
+        currentFile = null;
+      }
+      currentAppl = appl;
+
+      byte[] fci = currentAppl.getFCI();
+      byte[] response = new byte[fci.length + 2];
+      System.arraycopy(fci, 0, response, 0, fci.length);
+      response[fci.length] = (byte) 0x90;
+      response[fci.length + 1] = (byte) 0x00;
+      return new ResponseAPDU(response);
+    }
+    
+    if (command.getP1() == 0x00) {
+      // SELECT with FID
+      if (currentAppl instanceof AbstractAppl) {
+        
+        for (File file : ((AbstractAppl) currentAppl).getFiles()) {
+          
+          if (Arrays.equals(fid, file.fid)) {
+            currentFile = file;
+            byte[] response = new byte[file.fcx.length + 2];
+            System.arraycopy(file.fcx, 0, response, 0, file.fcx.length);
+            response[file.fcx.length] = (byte) 0x90;
+            response[file.fcx.length + 1] = (byte) 0x00;
+            return new ResponseAPDU(response);
+          }
+          
+        }
+        
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x82});
+        
+      } else {
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x82});
+      }
+    }
+    
+    // Not found
+    return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x82});
+    
+  }
+  
+  public abstract ResponseAPDU cmdREAD_BINARY(CommandAPDU command) throws CardException;
+
+
+  @Override
+  public ResponseAPDU transmit(CommandAPDU command) throws CardException {
+  
+    if (command.getCLA() == 0x00) {
+  
+      switch (command.getINS()) {
+  
+      // SELECT
+      case 0xA4:
+        return cmdSELECT(command);
+      
+      // READ BINARY
+      case 0xB0:
+        return cmdREAD_BINARY(command);
+      
+      // VERIFY
+      case 0x20:
+        if ((command.getP2() & 0x80) > 0) {
+          return cmdVERIFY(command);
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81}); 
+        }
+      
+      // MANAGE SECURITY ENVIRONMENT
+      case 0x22: {
+        if (currentAppl != null) {
+          return currentAppl.cmdMANAGE_SECURITY_ENVIRONMENT(command, this);
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05}); 
+        }
+      }
+      
+      // CHANGE REFERENCE DATA
+      case 0x24: {
+        return cmdCHANGE_REFERENCE_DATA(command);
+      }
+      
+      // PERFORM SECURITY OPERATION
+      case 0x2A: {
+        if (currentAppl != null) {
+          return currentAppl.cmdPERFORM_SECURITY_OPERATION(command, this);
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+        }
+      }
+  
+      // INTERNAL AUTHENTICATE
+      case 0x88: {
+        if (currentAppl != null) {
+          return currentAppl.cmdINTERNAL_AUTHENTICATE(command, this);
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+        }
+      }
+      
+      default:
+        return new ResponseAPDU(new byte[] { (byte) 0x6D, (byte) 0x00});
+      }
+  
+    } else {
+      return new ResponseAPDU(new byte[] { (byte) 0x6E, (byte) 0x00}); 
+    }
+  
+  }
+
+  protected ResponseAPDU verifyPin(int kid, byte[] reference) {
+    
+    PIN pin;
+    if (currentAppl != null) {
+      pin = currentAppl.pins.get(kid);
+    } else {
+      pin = null;
+    }
+    
+    if (pin != null) {
+  
+      if (reference.length != 8) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      }
+      
+      if (Arrays.equals(reference, pin.pin)) {
+        switch (pin.state) {
+        case PIN.STATE_PIN_BLOCKED:
+          return new ResponseAPDU(new byte[] { (byte) 0x69, (byte) 0x83 });
+  
+        case PIN.STATE_RESET:
+          pin.state = PIN.STATE_PIN_VERIFIED;
+          
+        default:
+          pin.kfpc = 10;
+          return new ResponseAPDU(new byte[] { (byte) 0x90, (byte) 0x00 });
+        }
+      } else {
+        switch (pin.state) {
+        case PIN.STATE_PIN_BLOCKED:
+          return new ResponseAPDU(new byte[] { (byte) 0x69, (byte) 0x83 });
+        
+        default:
+          if (--pin.kfpc > 0) {
+            return new ResponseAPDU(new byte[] { (byte) 0x63, (byte) (pin.kfpc | 0xC0)});
+          } else {
+            pin.state = PIN.STATE_PIN_BLOCKED;
+            return new ResponseAPDU(new byte[] { (byte) 0x69, (byte) 0x83 });
+          }
+        }
+        
+      }
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x00});
+    }
+    
+  }
+
+  public ResponseAPDU cmdVERIFY(CommandAPDU command) throws CardException {
+    
+    if (command.getINS() != 0x20) {
+      throw new IllegalArgumentException("INS has to be 0x20.");
+    }
+    
+    if (command.getP1() != 00) {
+      return new ResponseAPDU(new byte[] {(byte) 0x6B, (byte) 0x00});
+    }
+    
+    return verifyPin(command.getP2(), command.getData());
+  
+  }
+
+  public ResponseAPDU cmdCHANGE_REFERENCE_DATA(CommandAPDU command) {
+    
+    if (command.getINS() != 0x24) {
+      throw new IllegalArgumentException("INS has to be 0x24.");
+    }
+    
+    if (command.getP1() == 0x00) {
+      
+      byte[] data = command.getData();
+      if (data.length != 16) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      }
+  
+      ResponseAPDU response = verifyPin(command.getP2(), Arrays.copyOf(data, 8));
+      if (response.getSW() == 0x9000) {
+        PIN pin;
+        if (currentAppl != null) {
+          pin = currentAppl.pins.get(command.getP2());
+        } else {
+          pin = null;
+        }
+        pin.pin = Arrays.copyOfRange(data, 8, 16);
+      }
+      
+      return response;
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+    
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardEmul.java
new file mode 100644
index 00000000..b9f70a5d
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardEmul.java
@@ -0,0 +1,38 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+
+import javax.smartcardio.ATR;
+
+import at.gv.egiz.smcc.CardEmul;
+
+@SuppressWarnings("restriction")
+public abstract class ACOSCardEmul extends CardEmul {
+
+  protected static ATR ATR = new ATR(new byte[] {
+        (byte) 0x3b, (byte) 0xbf, (byte) 0x11, (byte) 0x00, (byte) 0x81, (byte) 0x31, (byte) 0xfe, (byte) 0x45, 
+        (byte) 0x45, (byte) 0x50, (byte) 0x41, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0xf1
+  });
+  
+  @Override
+  public ATR getATR() {
+    return ATR;
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
new file mode 100644
index 00000000..90bb039e
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
@@ -0,0 +1,243 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
+import org.junit.Test;
+
+import at.gv.egiz.smcc.ACOSCard;
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.CardNotSupportedException;
+import at.gv.egiz.smcc.CardTest;
+import at.gv.egiz.smcc.LockedException;
+import at.gv.egiz.smcc.NotActivatedException;
+import at.gv.egiz.smcc.SignatureCard;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.SignatureCard.KeyboxName;
+
+public abstract class ACOSCardTest extends CardTest {
+
+  public ACOSCardTest() {
+    super();
+  }
+
+  protected abstract int getVersion();
+
+  @Test
+  public void testGetInfoboxIdentityLinkEmpty() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    char[] pin = "0000".toCharArray();
+    
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
+    appl.clearInfobox();
+
+    byte[] idlink = signatureCard.getInfobox("IdentityLink",
+        new TestPINProvider(pin), null);
+    assertNull(idlink);
+
+  }
+  
+  @Test(expected = SignatureCardException.class)
+  public void testGetInfoboxIdentityInvalid() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    char[] pin = "0000".toCharArray();
+    
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
+    appl.setInfoboxHeader((byte) 0xFF);
+
+    signatureCard.getInfobox("IdentityLink", new TestPINProvider(pin), null);
+
+  }
+
+  @Test
+  public void testGetCerts() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    SignatureCard signatureCard = createSignatureCard();
+
+    byte[] cert;
+
+    cert = signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
+    assertNotNull(cert);
+    assertTrue(Arrays.equals(cert, A04ApplSIG.C_CH_DS));
+
+    cert = signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
+    assertNotNull(cert);
+    assertTrue(Arrays.equals(cert, A04ApplDEC.C_CH_EKEY));
+
+  }
+
+  @Test(expected = NotActivatedException.class)
+  public void testGetSIGCertEmpty() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplSIG appl = (ACOSApplSIG) card.getApplication(ACOSAppl.AID_SIG);
+    appl.clearCert();
+
+    signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
+
+  }
+
+  @Test(expected = NotActivatedException.class)
+  public void testGetDECCertEmpty() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
+    appl.clearCert();
+
+    signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
+
+  }
+
+  @Test
+  public void testSignSIG() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    char[] pin = "123456".toCharArray();
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplSIG appl = (ACOSApplSIG) card.getApplication(ACOSAppl.AID_SIG);
+    appl.setPin(ACOSApplSIG.KID_PIN_SIG, pin);
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    byte[] signature = signatureCard.createSignature(hash,
+        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new TestPINProvider(pin));
+
+    assertNotNull(signature);
+
+  }
+
+  @Test
+  public void testSignDEC() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    char[] pin = "1234".toCharArray();
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
+    appl.setPin(ACOSApplDEC.KID_PIN_DEC, pin);
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    byte[] signature = signatureCard.createSignature(hash,
+        KeyboxName.CERITIFIED_KEYPAIR, new TestPINProvider(pin));
+
+    assertNotNull(signature);
+
+  }
+
+  @Test(expected = LockedException.class)
+  public void testSignSIGInvalidPin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    SignatureCard signatureCard = createSignatureCard();
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
+
+    signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+        pinProvider);
+
+  }
+
+  @Test(expected = LockedException.class)
+  public void testSignDECInvalidPin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    SignatureCard signatureCard = createSignatureCard();
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
+
+    signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
+        pinProvider);
+
+  }
+
+  @Test(expected = LockedException.class)
+  public void testSignSIGBlockedPin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplSIG appl = (ACOSApplSIG) card.getApplication(ACOSAppl.AID_SIG);
+    appl.setPin(ACOSApplSIG.KID_PIN_SIG, null);
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
+
+    signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+        pinProvider);
+
+  }
+
+  @Test(expected = LockedException.class)
+  public void testSignDECBlockedPin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
+    appl.setPin(ACOSApplDEC.KID_PIN_DEC, null);
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
+
+    signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
+        pinProvider);
+
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTestSuite.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTestSuite.java
new file mode 100644
index 00000000..101f7edc
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTestSuite.java
@@ -0,0 +1,27 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.acos;
+
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+import org.junit.runners.Suite.SuiteClasses;
+
+@RunWith(Suite.class)
+@SuiteClasses( { A03CardTest.class, A04CardTest.class })
+public class ACOSCardTestSuite {
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSAppl.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSAppl.java
new file mode 100644
index 00000000..2ca63eea
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSAppl.java
@@ -0,0 +1,95 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.starcos;
+
+import java.io.UnsupportedEncodingException;
+import java.math.BigInteger;
+import java.util.Arrays;
+import java.util.Iterator;
+
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.AbstractAppl;
+import at.gv.egiz.smcc.CardAppl;
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.PIN;
+
+@SuppressWarnings("restriction")
+public abstract class STARCOSAppl extends AbstractAppl implements CardAppl {
+
+  public static byte[] AID_SichereSignatur = new byte[] { (byte) 0xD0, (byte) 0x40,
+        (byte) 0x00, (byte) 0x00, (byte) 0x17, (byte) 0x00, (byte) 0x12, (byte) 0x01 };
+  
+  public static byte[] FID_SichereSignatur = new byte[] { (byte) 0x3F, (byte) 0x04 };
+  
+  public static byte[] AID_Infobox = new byte[] { (byte) 0xD0, (byte) 0x40,
+    (byte) 0x00, (byte) 0x00, (byte) 0x17, (byte) 0x00, (byte) 0x18, (byte) 0x01 };
+
+  public static byte[] FID_Infobox = new byte[] { (byte) 0x3F, (byte) 0x06 };
+
+  public static byte[] AID_GewoehnlicheSignatur = new byte[] { (byte) 0xD0, (byte) 0x40,
+    (byte) 0x00, (byte) 0x00, (byte) 0x17, (byte) 0x00, (byte) 0x13, (byte) 0x01 };
+
+  public static byte[] FID_GewoehnlicheSignatur = new byte[] { (byte) 0x3F, (byte) 0x05 };
+  
+  protected STARCOSCardChannelEmul channel;
+  
+  protected byte[] securityEnv;
+
+  protected byte[] hash;
+
+  public STARCOSAppl(STARCOSCardChannelEmul channel) {
+    this.channel = channel;
+  }
+
+  @Override
+  public ResponseAPDU cmdINTERNAL_AUTHENTICATE(CommandAPDU command, CardChannelEmul channel) {
+    return new ResponseAPDU(new byte[] {(byte) 0x6D, (byte) 0x00});
+  }
+
+  @Override
+  public void leaveApplContext() {
+    Iterator<PIN> pin = pins.values().iterator();
+    while (pin.hasNext()) {
+      pin.next().state = PIN.STATE_RESET;
+    }
+  }
+  
+  public void setPin(int kid, char[] value) {
+    PIN pin = pins.get(kid);
+    if (pin != null) {
+      if (value == null) {
+        pin.pin = null;
+      } else {
+        byte[] b = new byte[8];
+        b[0] = (byte) (0x20 | value.length);
+        for(int i = 1, j = 0; i < b.length; i++) {
+          int h = ((j < value.length) 
+                  ? Character.digit(value[j++], 10) 
+                  : 0x0F);
+          int l = ((j < value.length) 
+                  ? Character.digit(value[j++], 10) 
+                  : 0x0F);
+          b[i] = (byte) ((h << 4) | l);
+        }
+        pin.pin = b;
+      }
+    }
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplGewoehnlicheSignatur.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplGewoehnlicheSignatur.java
new file mode 100644
index 00000000..cec305da
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplGewoehnlicheSignatur.java
@@ -0,0 +1,332 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.starcos;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.Random;
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+@SuppressWarnings("restriction")
+public class STARCOSApplGewoehnlicheSignatur extends STARCOSAppl {
+
+  private static byte[] FCI = new byte[] { (byte) 0x6f, (byte) 0x14,
+      (byte) 0x84, (byte) 0x08, (byte) 0xd0, (byte) 0x40, (byte) 0x00,
+      (byte) 0x00, (byte) 0x17, (byte) 0x00, (byte) 0x13, (byte) 0x01,
+      (byte) 0xa5, (byte) 0x08, (byte) 0x53, (byte) 0x02, (byte) 0x01,
+      (byte) 0x10, (byte) 0x54, (byte) 0x02, (byte) 0x01, (byte) 0x00 };
+  
+  protected static byte[] FID_EF_C_X509_CH_AUT = new byte[] { (byte) 0x2f,
+      (byte) 0x01 };
+  
+  protected static byte[] FCI_EF_C_X509_CH_AUT = new byte[] { (byte) 0x62,
+      (byte) 0x16, (byte) 0x80, (byte) 0x02, (byte) 0x04, (byte) 0x9c,
+      (byte) 0x82, (byte) 0x01, (byte) 0x01, (byte) 0x83, (byte) 0x02,
+      (byte) 0x2f, (byte) 0x01, (byte) 0x88, (byte) 0x01, (byte) 0x08,
+      (byte) 0x8a, (byte) 0x01, (byte) 0x05, (byte) 0xa1, (byte) 0x03,
+      (byte) 0x8b, (byte) 0x01, (byte) 0x08 };
+  
+  protected static byte[] C_X509_CH_AUT = new byte[] {
+    (byte) 0x30, (byte) 0x82, (byte) 0x04, (byte) 0x98, (byte) 0x30, (byte) 0x82, (byte) 0x03, (byte) 0x80, 
+    (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x02, (byte) 0x02, (byte) 0x03, (byte) 0x02, 
+    (byte) 0x06, (byte) 0x5f, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 
+    (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+    (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0x95, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, 
+    (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, 
+    (byte) 0x54, (byte) 0x31, (byte) 0x48, (byte) 0x30, (byte) 0x46, (byte) 0x06, (byte) 0x03, (byte) 0x55, 
+    (byte) 0x04, (byte) 0x0a, (byte) 0x0c, (byte) 0x3f, (byte) 0x41, (byte) 0x2d, (byte) 0x54, (byte) 0x72, 
+    (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x47, (byte) 0x65, (byte) 0x73, (byte) 0x2e, 
+    (byte) 0x20, (byte) 0x66, (byte) 0x2e, (byte) 0x20, (byte) 0x53, (byte) 0x69, (byte) 0x63, (byte) 0x68, 
+    (byte) 0x65, (byte) 0x72, (byte) 0x68, (byte) 0x65, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x73, 
+    (byte) 0x79, (byte) 0x73, (byte) 0x74, (byte) 0x65, (byte) 0x6d, (byte) 0x65, (byte) 0x20, (byte) 0x69, 
+    (byte) 0x6d, (byte) 0x20, (byte) 0x65, (byte) 0x6c, (byte) 0x65, (byte) 0x6b, (byte) 0x74, (byte) 0x72, 
+    (byte) 0x2e, (byte) 0x20, (byte) 0x44, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x6e, (byte) 0x76, 
+    (byte) 0x65, (byte) 0x72, (byte) 0x6b, (byte) 0x65, (byte) 0x68, (byte) 0x72, (byte) 0x20, (byte) 0x47, 
+    (byte) 0x6d, (byte) 0x62, (byte) 0x48, (byte) 0x31, (byte) 0x1d, (byte) 0x30, (byte) 0x1b, (byte) 0x06, 
+    (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0b, (byte) 0x0c, (byte) 0x14, (byte) 0x61, (byte) 0x2d, 
+    (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x74, (byte) 0x6f, (byte) 0x6b, 
+    (byte) 0x65, (byte) 0x6e, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, 
+    (byte) 0x30, (byte) 0x33, (byte) 0x31, (byte) 0x1d, (byte) 0x30, (byte) 0x1b, (byte) 0x06, (byte) 0x03, 
+    (byte) 0x55, (byte) 0x04, (byte) 0x03, (byte) 0x0c, (byte) 0x14, (byte) 0x61, (byte) 0x2d, (byte) 0x73, 
+    (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x74, (byte) 0x6f, (byte) 0x6b, (byte) 0x65, 
+    (byte) 0x6e, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x30, 
+    (byte) 0x33, (byte) 0x30, (byte) 0x1e, (byte) 0x17, (byte) 0x0d, (byte) 0x30, (byte) 0x39, (byte) 0x30, 
+    (byte) 0x33, (byte) 0x30, (byte) 0x36, (byte) 0x31, (byte) 0x35, (byte) 0x32, (byte) 0x32, (byte) 0x33, 
+    (byte) 0x38, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, (byte) 0x31, (byte) 0x32, (byte) 0x30, (byte) 0x33, 
+    (byte) 0x30, (byte) 0x36, (byte) 0x31, (byte) 0x35, (byte) 0x32, (byte) 0x32, (byte) 0x33, (byte) 0x38, 
+    (byte) 0x5a, (byte) 0x30, (byte) 0x72, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, 
+    (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x54, 
+    (byte) 0x31, (byte) 0x20, (byte) 0x30, (byte) 0x1e, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 
+    (byte) 0x03, (byte) 0x0c, (byte) 0x17, (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0xc5, (byte) 0x90, 
+    (byte) 0x7a, (byte) 0x67, (byte) 0xc3, (byte) 0xbc, (byte) 0x72, (byte) 0x20, (byte) 0x58, (byte) 0x58, 
+    (byte) 0x58, (byte) 0x54, (byte) 0xc3, (byte) 0xbc, (byte) 0x7a, (byte) 0x65, (byte) 0x6b, (byte) 0xc3, 
+    (byte) 0xa7, (byte) 0x69, (byte) 0x31, (byte) 0x15, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, 
+    (byte) 0x55, (byte) 0x04, (byte) 0x04, (byte) 0x0c, (byte) 0x0c, (byte) 0x58, (byte) 0x58, (byte) 0x58, 
+    (byte) 0x54, (byte) 0xc3, (byte) 0xbc, (byte) 0x7a, (byte) 0x65, (byte) 0x6b, (byte) 0xc3, (byte) 0xa7, 
+    (byte) 0x69, (byte) 0x31, (byte) 0x13, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, 
+    (byte) 0x04, (byte) 0x2a, (byte) 0x0c, (byte) 0x0a, (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0xc5, 
+    (byte) 0x90, (byte) 0x7a, (byte) 0x67, (byte) 0xc3, (byte) 0xbc, (byte) 0x72, (byte) 0x31, (byte) 0x15, 
+    (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x05, (byte) 0x13, 
+    (byte) 0x0c, (byte) 0x37, (byte) 0x30, (byte) 0x34, (byte) 0x38, (byte) 0x37, (byte) 0x31, (byte) 0x30, 
+    (byte) 0x35, (byte) 0x30, (byte) 0x30, (byte) 0x30, (byte) 0x38, (byte) 0x30, (byte) 0x49, (byte) 0x30, 
+    (byte) 0x13, (byte) 0x06, (byte) 0x07, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d, 
+    (byte) 0x02, (byte) 0x01, (byte) 0x06, (byte) 0x08, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, 
+    (byte) 0x3d, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0x03, (byte) 0x32, (byte) 0x00, (byte) 0x04, 
+    (byte) 0x02, (byte) 0x55, (byte) 0x51, (byte) 0xf9, (byte) 0x2a, (byte) 0xea, (byte) 0x6f, (byte) 0xd3, 
+    (byte) 0xf5, (byte) 0xda, (byte) 0xa9, (byte) 0x7a, (byte) 0x22, (byte) 0xfc, (byte) 0xb4, (byte) 0x38, 
+    (byte) 0xe9, (byte) 0x5c, (byte) 0xdc, (byte) 0x6b, (byte) 0x86, (byte) 0xa6, (byte) 0x77, (byte) 0xa7, 
+    (byte) 0x90, (byte) 0xf3, (byte) 0x36, (byte) 0xe0, (byte) 0xc4, (byte) 0xde, (byte) 0x72, (byte) 0xf2, 
+    (byte) 0x1a, (byte) 0x07, (byte) 0xfa, (byte) 0xd0, (byte) 0xc8, (byte) 0x1c, (byte) 0xa0, (byte) 0xc8, 
+    (byte) 0x8b, (byte) 0x5d, (byte) 0xde, (byte) 0x9e, (byte) 0xf8, (byte) 0x3b, (byte) 0x7c, (byte) 0x8c, 
+    (byte) 0xa3, (byte) 0x82, (byte) 0x01, (byte) 0xec, (byte) 0x30, (byte) 0x82, (byte) 0x01, (byte) 0xe8, 
+    (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04, 
+    (byte) 0x0c, (byte) 0x30, (byte) 0x0a, (byte) 0x80, (byte) 0x08, (byte) 0x47, (byte) 0x7e, (byte) 0x5b, 
+    (byte) 0xdb, (byte) 0x37, (byte) 0x33, (byte) 0xb1, (byte) 0xfa, (byte) 0x30, (byte) 0x7e, (byte) 0x06, 
+    (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x01, 
+    (byte) 0x01, (byte) 0x04, (byte) 0x72, (byte) 0x30, (byte) 0x70, (byte) 0x30, (byte) 0x2c, (byte) 0x06, 
+    (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x30, 
+    (byte) 0x01, (byte) 0x86, (byte) 0x20, (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, 
+    (byte) 0x2f, (byte) 0x2f, (byte) 0x6f, (byte) 0x63, (byte) 0x73, (byte) 0x70, (byte) 0x2d, (byte) 0x74, 
+    (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, 
+    (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x6f, 
+    (byte) 0x63, (byte) 0x73, (byte) 0x70, (byte) 0x30, (byte) 0x40, (byte) 0x06, (byte) 0x08, (byte) 0x2b, 
+    (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x30, (byte) 0x02, (byte) 0x86, 
+    (byte) 0x34, (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, 
+    (byte) 0x77, (byte) 0x77, (byte) 0x77, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, 
+    (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x63, 
+    (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x73, (byte) 0x2f, (byte) 0x61, (byte) 0x2d, (byte) 0x73, 
+    (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x74, (byte) 0x6f, (byte) 0x6b, (byte) 0x65, 
+    (byte) 0x6e, (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x30, 
+    (byte) 0x33, (byte) 0x2e, (byte) 0x63, (byte) 0x72, (byte) 0x74, (byte) 0x30, (byte) 0x81, (byte) 0x86, 
+    (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x20, (byte) 0x04, (byte) 0x7f, (byte) 0x30, 
+    (byte) 0x7d, (byte) 0x30, (byte) 0x7b, (byte) 0x06, (byte) 0x06, (byte) 0x2a, (byte) 0x28, (byte) 0x00, 
+    (byte) 0x11, (byte) 0x01, (byte) 0x03, (byte) 0x30, (byte) 0x71, (byte) 0x30, (byte) 0x35, (byte) 0x06, 
+    (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x02, 
+    (byte) 0x01, (byte) 0x16, (byte) 0x29, (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, 
+    (byte) 0x2f, (byte) 0x2f, (byte) 0x77, (byte) 0x77, (byte) 0x77, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, 
+    (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, 
+    (byte) 0x2f, (byte) 0x64, (byte) 0x6f, (byte) 0x63, (byte) 0x73, (byte) 0x2f, (byte) 0x63, (byte) 0x70, 
+    (byte) 0x2f, (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, 
+    (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x30, (byte) 0x38, (byte) 0x06, (byte) 0x08, 
+    (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x02, (byte) 0x02, 
+    (byte) 0x30, (byte) 0x2c, (byte) 0x1a, (byte) 0x2a, (byte) 0x44, (byte) 0x69, (byte) 0x65, (byte) 0x73, 
+    (byte) 0x65, (byte) 0x73, (byte) 0x20, (byte) 0x5a, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, 
+    (byte) 0x66, (byte) 0x69, (byte) 0x6b, (byte) 0x61, (byte) 0x74, (byte) 0x20, (byte) 0x64, (byte) 0x69, 
+    (byte) 0x65, (byte) 0x6e, (byte) 0x74, (byte) 0x20, (byte) 0x6e, (byte) 0x75, (byte) 0x72, (byte) 0x20, 
+    (byte) 0x7a, (byte) 0x75, (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x7a, 
+    (byte) 0x77, (byte) 0x65, (byte) 0x63, (byte) 0x6b, (byte) 0x65, (byte) 0x6e, (byte) 0x30, (byte) 0x81, 
+    (byte) 0x99, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x1f, (byte) 0x04, (byte) 0x81, 
+    (byte) 0x91, (byte) 0x30, (byte) 0x81, (byte) 0x8e, (byte) 0x30, (byte) 0x81, (byte) 0x8b, (byte) 0xa0, 
+    (byte) 0x81, (byte) 0x88, (byte) 0xa0, (byte) 0x81, (byte) 0x85, (byte) 0x86, (byte) 0x81, (byte) 0x82, 
+    (byte) 0x6c, (byte) 0x64, (byte) 0x61, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x6c, 
+    (byte) 0x64, (byte) 0x61, (byte) 0x70, (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, 
+    (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, 
+    (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x6f, (byte) 0x75, (byte) 0x3d, (byte) 0x61, 
+    (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x74, (byte) 0x6f, 
+    (byte) 0x6b, (byte) 0x65, (byte) 0x6e, (byte) 0x2d, (byte) 0x30, (byte) 0x33, (byte) 0x2c, (byte) 0x6f, 
+    (byte) 0x3d, (byte) 0x41, (byte) 0x2d, (byte) 0x54, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, 
+    (byte) 0x2c, (byte) 0x63, (byte) 0x3d, (byte) 0x41, (byte) 0x54, (byte) 0x3f, (byte) 0x63, (byte) 0x65, 
+    (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, (byte) 0x61, (byte) 0x74, 
+    (byte) 0x65, (byte) 0x72, (byte) 0x65, (byte) 0x76, (byte) 0x6f, (byte) 0x63, (byte) 0x61, (byte) 0x74, 
+    (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x6c, (byte) 0x69, (byte) 0x73, (byte) 0x74, (byte) 0x3f, 
+    (byte) 0x62, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x3f, (byte) 0x6f, (byte) 0x62, (byte) 0x6a, 
+    (byte) 0x65, (byte) 0x63, (byte) 0x74, (byte) 0x63, (byte) 0x6c, (byte) 0x61, (byte) 0x73, (byte) 0x73, 
+    (byte) 0x3d, (byte) 0x65, (byte) 0x69, (byte) 0x64, (byte) 0x43, (byte) 0x65, (byte) 0x72, (byte) 0x74, 
+    (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x69, (byte) 0x6f, 
+    (byte) 0x6e, (byte) 0x41, (byte) 0x75, (byte) 0x74, (byte) 0x68, (byte) 0x6f, (byte) 0x72, (byte) 0x69, 
+    (byte) 0x74, (byte) 0x79, (byte) 0x30, (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, 
+    (byte) 0x0e, (byte) 0x04, (byte) 0x0a, (byte) 0x04, (byte) 0x08, (byte) 0x4a, (byte) 0x43, (byte) 0x51, 
+    (byte) 0x30, (byte) 0x45, (byte) 0xfc, (byte) 0x2a, (byte) 0x00, (byte) 0x30, (byte) 0x0e, (byte) 0x06, 
+    (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0f, (byte) 0x01, (byte) 0x01, (byte) 0xff, (byte) 0x04, 
+    (byte) 0x04, (byte) 0x03, (byte) 0x02, (byte) 0x04, (byte) 0xb0, (byte) 0x30, (byte) 0x09, (byte) 0x06, 
+    (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, (byte) 0x02, (byte) 0x30, (byte) 0x00, 
+    (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0x86, 
+    (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x00, (byte) 0x03, 
+    (byte) 0x82, (byte) 0x01, (byte) 0x01, (byte) 0x00, (byte) 0x31, (byte) 0xdc, (byte) 0xf3, (byte) 0x43, 
+    (byte) 0x79, (byte) 0xdd, (byte) 0xa9, (byte) 0x2a, (byte) 0xdc, (byte) 0x21, (byte) 0xf9, (byte) 0xd9, 
+    (byte) 0x8f, (byte) 0x9a, (byte) 0x4e, (byte) 0x01, (byte) 0x40, (byte) 0x9a, (byte) 0xf1, (byte) 0x14, 
+    (byte) 0x8d, (byte) 0x3a, (byte) 0x5e, (byte) 0x88, (byte) 0x36, (byte) 0x45, (byte) 0x1f, (byte) 0x16, 
+    (byte) 0x3e, (byte) 0xeb, (byte) 0xa2, (byte) 0xef, (byte) 0xbf, (byte) 0x55, (byte) 0xbd, (byte) 0x5e, 
+    (byte) 0x0e, (byte) 0x19, (byte) 0xc7, (byte) 0x0c, (byte) 0xbd, (byte) 0xed, (byte) 0xdf, (byte) 0xb8, 
+    (byte) 0x75, (byte) 0x4e, (byte) 0x6a, (byte) 0x3a, (byte) 0x9a, (byte) 0x10, (byte) 0xfa, (byte) 0x49, 
+    (byte) 0xc1, (byte) 0xd2, (byte) 0x35, (byte) 0xc5, (byte) 0x9a, (byte) 0xd7, (byte) 0xf4, (byte) 0xf0, 
+    (byte) 0xcd, (byte) 0x13, (byte) 0xd1, (byte) 0x24, (byte) 0x06, (byte) 0xf8, (byte) 0x1f, (byte) 0xea, 
+    (byte) 0xd6, (byte) 0x7a, (byte) 0xcb, (byte) 0x4f, (byte) 0xb5, (byte) 0x3e, (byte) 0x6c, (byte) 0xb2, 
+    (byte) 0xfc, (byte) 0xe3, (byte) 0xaa, (byte) 0x2b, (byte) 0x20, (byte) 0x91, (byte) 0xf5, (byte) 0x5b, 
+    (byte) 0xf1, (byte) 0x94, (byte) 0x0e, (byte) 0x06, (byte) 0x0a, (byte) 0xfd, (byte) 0x25, (byte) 0x71, 
+    (byte) 0x11, (byte) 0xfc, (byte) 0x84, (byte) 0x46, (byte) 0xef, (byte) 0x5b, (byte) 0x0b, (byte) 0xa4, 
+    (byte) 0x4a, (byte) 0x5d, (byte) 0x42, (byte) 0x99, (byte) 0xc8, (byte) 0x4e, (byte) 0x51, (byte) 0xd8, 
+    (byte) 0x63, (byte) 0xd1, (byte) 0xbd, (byte) 0x00, (byte) 0xa3, (byte) 0xdd, (byte) 0x8f, (byte) 0x12, 
+    (byte) 0x42, (byte) 0xbe, (byte) 0xca, (byte) 0x15, (byte) 0x37, (byte) 0x4c, (byte) 0xd2, (byte) 0xc9, 
+    (byte) 0xa7, (byte) 0x37, (byte) 0xb2, (byte) 0x76, (byte) 0xb7, (byte) 0x34, (byte) 0x92, (byte) 0x98, 
+    (byte) 0x60, (byte) 0xe7, (byte) 0x3d, (byte) 0x55, (byte) 0xa2, (byte) 0x6c, (byte) 0xb6, (byte) 0x66, 
+    (byte) 0x67, (byte) 0xe1, (byte) 0xe4, (byte) 0x8f, (byte) 0xe3, (byte) 0xa5, (byte) 0xb8, (byte) 0xb5, 
+    (byte) 0xc8, (byte) 0x8f, (byte) 0x9e, (byte) 0xe3, (byte) 0xf1, (byte) 0xaa, (byte) 0x8e, (byte) 0xe6, 
+    (byte) 0xe2, (byte) 0x47, (byte) 0x49, (byte) 0x3d, (byte) 0xbe, (byte) 0x8c, (byte) 0xdd, (byte) 0xce, 
+    (byte) 0x8d, (byte) 0x52, (byte) 0xac, (byte) 0xb9, (byte) 0x83, (byte) 0xe9, (byte) 0x9d, (byte) 0x98, 
+    (byte) 0x7b, (byte) 0xda, (byte) 0x2b, (byte) 0xbc, (byte) 0x83, (byte) 0xcb, (byte) 0x74, (byte) 0x64, 
+    (byte) 0x17, (byte) 0x4c, (byte) 0x33, (byte) 0xbb, (byte) 0x88, (byte) 0xc2, (byte) 0xdd, (byte) 0x08, 
+    (byte) 0x69, (byte) 0xd8, (byte) 0xa2, (byte) 0xac, (byte) 0x95, (byte) 0x71, (byte) 0xd3, (byte) 0xf8, 
+    (byte) 0xc9, (byte) 0xd1, (byte) 0xd6, (byte) 0x0e, (byte) 0xc3, (byte) 0x67, (byte) 0xa1, (byte) 0xdb, 
+    (byte) 0xca, (byte) 0x58, (byte) 0xaa, (byte) 0x4b, (byte) 0xec, (byte) 0x37, (byte) 0x46, (byte) 0x73, 
+    (byte) 0xc3, (byte) 0xa3, (byte) 0x7b, (byte) 0x1e, (byte) 0xdd, (byte) 0xf9, (byte) 0xb3, (byte) 0xbb, 
+    (byte) 0xe0, (byte) 0x16, (byte) 0x39, (byte) 0xaf, (byte) 0xa0, (byte) 0x19, (byte) 0x9e, (byte) 0x89, 
+    (byte) 0x37, (byte) 0x1e, (byte) 0x6e, (byte) 0x41, (byte) 0x59, (byte) 0xe1, (byte) 0x86, (byte) 0xea, 
+    (byte) 0x0b, (byte) 0x39, (byte) 0x03, (byte) 0x89, (byte) 0xd2, (byte) 0xba, (byte) 0xd5, (byte) 0x0c, 
+    (byte) 0x84, (byte) 0x09, (byte) 0xdd, (byte) 0xc7, (byte) 0x00, (byte) 0x2c, (byte) 0x2e, (byte) 0x1a, 
+    (byte) 0x69, (byte) 0xeb, (byte) 0xdf, (byte) 0xb1
+  };
+  
+
+  protected byte[] EF_C_X509_CH_AUT = new byte[2000];
+  
+  public STARCOSApplGewoehnlicheSignatur(STARCOSCardChannelEmul channel) {
+    super(channel);
+    // Files
+    System.arraycopy(C_X509_CH_AUT, 0, EF_C_X509_CH_AUT, 0, C_X509_CH_AUT.length);
+    putFile(new File(FID_EF_C_X509_CH_AUT, EF_C_X509_CH_AUT, FCI_EF_C_X509_CH_AUT));
+  }
+
+  @Override
+  public byte[] getAID() {
+    return AID_GewoehnlicheSignatur;
+  }
+
+  @Override
+  public byte[] getFID() {
+    return FID_GewoehnlicheSignatur;
+  }
+
+  @Override
+  public byte[] getFCI() {
+    return FCI;
+  }
+
+  public void clearCert() {
+    Arrays.fill(EF_C_X509_CH_AUT, (byte) 0x00);
+  }
+
+  @Override
+  public ResponseAPDU cmdMANAGE_SECURITY_ENVIRONMENT(CommandAPDU command, CardChannelEmul channel) throws CardException {
+
+    checkINS(command, 0x22);
+
+    switch (command.getP2()) {
+    case 0xA4:
+      switch (command.getP1()) {
+      case 0x41:
+        // INTERNAL AUTHENTICATE
+      case 0x81:
+        // EXTERNAL AUTHENTICATE
+      }
+    case 0xB6:
+      switch (command.getP1()) {
+      case 0x41: {
+        // PSO - COMPUTE DIGITAL SIGNATURE
+        byte[] dst = new byte[] { (byte) 0x84, (byte) 0x03, (byte) 0x80,
+            (byte) 0x02, (byte) 0x00, (byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10};
+        if (Arrays.equals(dst, command.getData())) {
+          securityEnv = command.getData();
+          return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x80});
+        }
+      }
+      case 0x81:
+        // PSO - VERIFY DGITAL SIGNATURE
+      }
+    case 0xB8:
+      switch (command.getP1()) {
+      case 0x41:
+        // PSO � DECIPHER
+      case 0x81:
+        // PSO � ENCIPHER
+      }
+    default:
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+
+    
+  }
+
+  @Override
+  public ResponseAPDU cmdPERFORM_SECURITY_OPERATION(CommandAPDU command, CardChannelEmul channel) throws CardException {
+    
+    checkINS(command, 0x2A);
+  
+    if (command.getP1() == 0x90 && command.getP2() == 0xA0) {
+      
+      // HASH
+      byte[] data = command.getData();
+      if (data[0] == (byte) 0x90 && data[1] == (byte) 0x14) {
+        hash = Arrays.copyOfRange(data, 2, data.length);
+        return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+      } else {
+        throw new CardException("HASH command only supports complete hash.");
+      }
+      
+    } else if (command.getP1() == 0x9E && command.getP2() == 0x9A) {
+      
+      // COMPUTE DIGITAL SIGNATURE
+      if (securityEnv == null) {
+        // No security environment
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+      }
+      if (hash == null) {
+        // Command sequence not correct
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x03});
+      }
+      if (hash.length != 20) {
+        // Invalid hash length
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x80});
+      }
+      STARCOSCardChannelEmul c = (STARCOSCardChannelEmul) channel;
+      if (c.globalPins.get(STARCOSCardChannelEmul.KID_PIN_Glob).state != PIN.STATE_PIN_VERIFIED) {
+        // Security Status not satisfied
+        return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+      }
+      
+      byte[] signature = new byte[48]; 
+      
+      // TODO replace by signature creation
+      Random random = new Random();
+      random.nextBytes(signature);
+      
+      byte[] response = new byte[signature.length + 2];
+      System.arraycopy(signature, 0, response, 0, signature.length);
+      response[signature.length] = (byte) 0x90;
+      response[signature.length + 1] = (byte) 0x00;
+      
+      hash = null;
+      
+      return new ResponseAPDU(response);
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x00});
+    }
+    
+  }
+
+  
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplInfobox.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplInfobox.java
new file mode 100644
index 00000000..b7835a43
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplInfobox.java
@@ -0,0 +1,160 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.starcos;
+
+import java.util.Arrays;
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.File;
+
+@SuppressWarnings("restriction")
+public class STARCOSApplInfobox extends STARCOSAppl {
+
+  public static final byte[] IDLINK = new byte[] {
+    (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x11, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x0c, 
+    (byte) 0x26, (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, 
+    (byte) 0x77, (byte) 0x77, (byte) 0x77, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, 
+    (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x7a, 
+    (byte) 0x6d, (byte) 0x72, (byte) 0x2f, (byte) 0x70, (byte) 0x65, (byte) 0x72, (byte) 0x73, (byte) 0x62, 
+    (byte) 0x32, (byte) 0x30, (byte) 0x34, (byte) 0x2e, (byte) 0x78, (byte) 0x73, (byte) 0x6c, (byte) 0x0c, 
+    (byte) 0x29, (byte) 0x73, (byte) 0x7a, (byte) 0x72, (byte) 0x2e, (byte) 0x62, (byte) 0x6d, (byte) 0x69, 
+    (byte) 0x2e, (byte) 0x67, (byte) 0x76, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2d, (byte) 0x41, 
+    (byte) 0x73, (byte) 0x73, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, 
+    (byte) 0x49, (byte) 0x44, (byte) 0x31, (byte) 0x32, (byte) 0x33, (byte) 0x36, (byte) 0x33, (byte) 0x35, 
+    (byte) 0x36, (byte) 0x33, (byte) 0x36, (byte) 0x36, (byte) 0x37, (byte) 0x39, (byte) 0x39, (byte) 0x39, 
+    (byte) 0x31, (byte) 0x39, (byte) 0x0c, (byte) 0x19, (byte) 0x32, (byte) 0x30, (byte) 0x30, (byte) 0x39, 
+    (byte) 0x2d, (byte) 0x30, (byte) 0x33, (byte) 0x2d, (byte) 0x30, (byte) 0x36, (byte) 0x54, (byte) 0x31, 
+    (byte) 0x36, (byte) 0x3a, (byte) 0x31, (byte) 0x39, (byte) 0x3a, (byte) 0x32, (byte) 0x36, (byte) 0x2b, 
+    (byte) 0x30, (byte) 0x31, (byte) 0x3a, (byte) 0x30, (byte) 0x30, (byte) 0xa0, (byte) 0x42, (byte) 0x30, 
+    (byte) 0x40, (byte) 0x0c, (byte) 0x18, (byte) 0x45, (byte) 0x68, (byte) 0x42, (byte) 0x53, (byte) 0x36, 
+    (byte) 0x54, (byte) 0x6f, (byte) 0x31, (byte) 0x49, (byte) 0x6c, (byte) 0x54, (byte) 0x4b, (byte) 0x4f, 
+    (byte) 0x4a, (byte) 0x45, (byte) 0x39, (byte) 0x75, (byte) 0x62, (byte) 0x74, (byte) 0x48, (byte) 0x69, 
+    (byte) 0x51, (byte) 0x3d, (byte) 0x3d, (byte) 0x0c, (byte) 0x0a, (byte) 0x58, (byte) 0x58, (byte) 0x58, 
+    (byte) 0xc5, (byte) 0x90, (byte) 0x7a, (byte) 0x67, (byte) 0xc3, (byte) 0xbc, (byte) 0x72, (byte) 0x0c, 
+    (byte) 0x0c, (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0x54, (byte) 0xc3, (byte) 0xbc, (byte) 0x7a, 
+    (byte) 0x65, (byte) 0x6b, (byte) 0xc3, (byte) 0xa7, (byte) 0x69, (byte) 0x0c, (byte) 0x0a, (byte) 0x31, 
+    (byte) 0x39, (byte) 0x37, (byte) 0x33, (byte) 0x2d, (byte) 0x30, (byte) 0x36, (byte) 0x2d, (byte) 0x30, 
+    (byte) 0x34, (byte) 0x30, (byte) 0x0a, (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x00, 
+    (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x01, (byte) 0x03, (byte) 0x82, (byte) 0x01, 
+    (byte) 0x01, (byte) 0x00, (byte) 0x9f, (byte) 0xa5, (byte) 0x68, (byte) 0xa9, (byte) 0x14, (byte) 0x4c, 
+    (byte) 0xa4, (byte) 0x5d, (byte) 0x9d, (byte) 0x09, (byte) 0x99, (byte) 0x2e, (byte) 0xe7, (byte) 0x45, 
+    (byte) 0x2e, (byte) 0x42, (byte) 0x49, (byte) 0x02, (byte) 0x16, (byte) 0xd9, (byte) 0xcb, (byte) 0x90, 
+    (byte) 0x43, (byte) 0x27, (byte) 0x03, (byte) 0x43, (byte) 0x6d, (byte) 0xb4, (byte) 0x8c, (byte) 0xdc, 
+    (byte) 0x1c, (byte) 0x77, (byte) 0xd4, (byte) 0x2e, (byte) 0xa1, (byte) 0x40, (byte) 0xe7, (byte) 0xe0, 
+    (byte) 0x03, (byte) 0x60, (byte) 0x15, (byte) 0xf7, (byte) 0xdb, (byte) 0x03, (byte) 0x5e, (byte) 0xca, 
+    (byte) 0xe4, (byte) 0x35, (byte) 0xba, (byte) 0x2b, (byte) 0xfd, (byte) 0xe6, (byte) 0xb8, (byte) 0xd8, 
+    (byte) 0xb7, (byte) 0x2a, (byte) 0x80, (byte) 0xdd, (byte) 0x38, (byte) 0xe0, (byte) 0x8a, (byte) 0x69, 
+    (byte) 0xad, (byte) 0x67, (byte) 0x60, (byte) 0x65, (byte) 0x42, (byte) 0xc9, (byte) 0x41, (byte) 0x60, 
+    (byte) 0x94, (byte) 0xde, (byte) 0x84, (byte) 0x54, (byte) 0xad, (byte) 0xb3, (byte) 0xf4, (byte) 0xf7, 
+    (byte) 0x44, (byte) 0xd5, (byte) 0xf3, (byte) 0xd3, (byte) 0xb6, (byte) 0x87, (byte) 0x8a, (byte) 0x22, 
+    (byte) 0x38, (byte) 0x00, (byte) 0xcb, (byte) 0xa4, (byte) 0x4f, (byte) 0x96, (byte) 0xc2, (byte) 0x28, 
+    (byte) 0xc2, (byte) 0x8d, (byte) 0x91, (byte) 0x95, (byte) 0xb4, (byte) 0xea, (byte) 0x00, (byte) 0x59, 
+    (byte) 0x2e, (byte) 0xec, (byte) 0x78, (byte) 0xd8, (byte) 0x0f, (byte) 0x26, (byte) 0x04, (byte) 0xee, 
+    (byte) 0xed, (byte) 0x13, (byte) 0xbf, (byte) 0x81, (byte) 0x68, (byte) 0x81, (byte) 0x43, (byte) 0xbe, 
+    (byte) 0x15, (byte) 0x0e, (byte) 0xba, (byte) 0xf9, (byte) 0x6a, (byte) 0x18, (byte) 0xeb, (byte) 0x95, 
+    (byte) 0xad, (byte) 0xb4, (byte) 0x0f, (byte) 0x3c, (byte) 0x94, (byte) 0x63, (byte) 0x32, (byte) 0x81, 
+    (byte) 0x90, (byte) 0xcf, (byte) 0x3f, (byte) 0x95, (byte) 0xff, (byte) 0x8d, (byte) 0x86, (byte) 0xed, 
+    (byte) 0xe4, (byte) 0x75, (byte) 0xd5, (byte) 0x09, (byte) 0x32, (byte) 0x17, (byte) 0x38, (byte) 0xb2, 
+    (byte) 0x68, (byte) 0x35, (byte) 0x49, (byte) 0x8c, (byte) 0xa6, (byte) 0xd0, (byte) 0x3e, (byte) 0xde, 
+    (byte) 0x6e, (byte) 0x47, (byte) 0x68, (byte) 0xbf, (byte) 0x98, (byte) 0x33, (byte) 0xae, (byte) 0x59, 
+    (byte) 0x9f, (byte) 0xe0, (byte) 0x19, (byte) 0x9b, (byte) 0x5b, (byte) 0x1b, (byte) 0x8f, (byte) 0x74, 
+    (byte) 0xd2, (byte) 0x9c, (byte) 0x01, (byte) 0x1a, (byte) 0xdf, (byte) 0xaf, (byte) 0xf8, (byte) 0x96, 
+    (byte) 0x91, (byte) 0xcb, (byte) 0xf8, (byte) 0xbf, (byte) 0x06, (byte) 0xc7, (byte) 0xd5, (byte) 0x17, 
+    (byte) 0x95, (byte) 0xef, (byte) 0xc5, (byte) 0x97, (byte) 0x37, (byte) 0x1b, (byte) 0xb0, (byte) 0xa1, 
+    (byte) 0x4f, (byte) 0x9f, (byte) 0x01, (byte) 0x82, (byte) 0x90, (byte) 0x4a, (byte) 0x6a, (byte) 0x04, 
+    (byte) 0xdb, (byte) 0x31, (byte) 0x1a, (byte) 0x58, (byte) 0xeb, (byte) 0xcd, (byte) 0x68, (byte) 0xe3, 
+    (byte) 0x68, (byte) 0x0b, (byte) 0xa0, (byte) 0x11, (byte) 0x44, (byte) 0x08, (byte) 0xa0, (byte) 0x5c, 
+    (byte) 0xfc, (byte) 0x61, (byte) 0x15, (byte) 0x1f, (byte) 0xbb, (byte) 0x22, (byte) 0x87, (byte) 0x18, 
+    (byte) 0xa3, (byte) 0x07, (byte) 0x9b, (byte) 0x0d, (byte) 0x13, (byte) 0x7c, (byte) 0xff, (byte) 0x30, 
+    (byte) 0xcf, (byte) 0xf3, (byte) 0xaf, (byte) 0xe4, (byte) 0x45, (byte) 0x05, (byte) 0xa0, (byte) 0x8e, 
+    (byte) 0x6b, (byte) 0xef, (byte) 0x70, (byte) 0xf5, (byte) 0x4b, (byte) 0x68, (byte) 0x8f, (byte) 0x61, 
+    (byte) 0xd6, (byte) 0xf5, (byte) 0xa0, (byte) 0x17, (byte) 0x03, (byte) 0x15, (byte) 0x00, (byte) 0x8e, 
+    (byte) 0xa8, (byte) 0xdf, (byte) 0xa9, (byte) 0x77, (byte) 0xfd, (byte) 0x9b, (byte) 0x4b, (byte) 0x91, 
+    (byte) 0x89, (byte) 0x34, (byte) 0x84, (byte) 0xf3, (byte) 0x24, (byte) 0xb2, (byte) 0x5a, (byte) 0x39, 
+    (byte) 0xa9, (byte) 0xf2, (byte) 0x17, (byte) 0xa1, (byte) 0x17, (byte) 0x03, (byte) 0x15, (byte) 0x00, 
+    (byte) 0xdb, (byte) 0xa2, (byte) 0xfd, (byte) 0xa4, (byte) 0xe7, (byte) 0x65, (byte) 0x2e, (byte) 0x7e, 
+    (byte) 0xb0, (byte) 0xc8, (byte) 0xfa, (byte) 0x4d, (byte) 0x13, (byte) 0x28, (byte) 0xdf, (byte) 0xb1, 
+    (byte) 0x58, (byte) 0x3b, (byte) 0x9e, (byte) 0x29, (byte) 0xa2, (byte) 0x17, (byte) 0x03, (byte) 0x15, 
+    (byte) 0x00, (byte) 0x68, (byte) 0xa0, (byte) 0x17, (byte) 0x18, (byte) 0xb7, (byte) 0xb3, (byte) 0xc3, 
+    (byte) 0x60, (byte) 0x77, (byte) 0x82, (byte) 0x8d, (byte) 0xf1, (byte) 0x5e, (byte) 0x10, (byte) 0xc3, 
+    (byte) 0x2d, (byte) 0x78, (byte) 0x2c, (byte) 0x11, (byte) 0x0b
+  };
+  
+  private static byte[] FCP = new byte[] { (byte) 0x6f, (byte) 0x14,
+      (byte) 0x84, (byte) 0x08, (byte) 0xd0, (byte) 0x40, (byte) 0x00,
+      (byte) 0x00, (byte) 0x17, (byte) 0x00, (byte) 0x18, (byte) 0x01,
+      (byte) 0xa5, (byte) 0x08, (byte) 0x53, (byte) 0x02, (byte) 0x01,
+      (byte) 0x11, (byte) 0x54, (byte) 0x02, (byte) 0x01, (byte) 0x00 };
+  
+  protected static byte[] FID_EF_IdentityLink = new byte[] { (byte) 0xef, (byte) 0x01 };
+  
+  protected static byte[] FCP_EF_IdentityLink = new byte[] { (byte) 0x62,
+      (byte) 0x16, (byte) 0x80, (byte) 0x02, (byte) 0x04, (byte) 0x00,
+      (byte) 0x82, (byte) 0x01, (byte) 0x01, (byte) 0x83, (byte) 0x02,
+      (byte) 0xef, (byte) 0x01, (byte) 0x88, (byte) 0x01, (byte) 0x08,
+      (byte) 0x8a, (byte) 0x01, (byte) 0x05, (byte) 0xa1, (byte) 0x03,
+      (byte) 0x8b, (byte) 0x01, (byte) 0x02 };
+  
+  protected static byte[] EF_IdentityLink = new byte[1500];
+
+  public STARCOSApplInfobox(STARCOSCardChannelEmul channel) {
+    super(channel);
+    System.arraycopy(IDLINK, 0, EF_IdentityLink, 0, IDLINK.length);
+    putFile(new File(FID_EF_IdentityLink, EF_IdentityLink, FCP_EF_IdentityLink, 0x01));
+  }
+
+  @Override
+  public byte[] getAID() {
+    return AID_Infobox;
+  }
+
+  @Override
+  public byte[] getFID() {
+    return FID_Infobox;
+  }
+
+  @Override
+  public byte[] getFCI() {
+    return FCP;
+  }
+
+  public void clearInfobox() {
+    Arrays.fill(EF_IdentityLink, (byte) 0x00);
+  }
+  
+  public void setInfoboxHeader(byte b) {
+    EF_IdentityLink[0] = b;
+  }
+  
+  @Override
+  public ResponseAPDU cmdMANAGE_SECURITY_ENVIRONMENT(CommandAPDU command, CardChannelEmul channel)
+      throws CardException {
+    throw new CardException("Not supported.");
+  }
+
+  @Override
+  public ResponseAPDU cmdPERFORM_SECURITY_OPERATION(CommandAPDU command, CardChannelEmul channel)
+      throws CardException {
+    throw new CardException("Not supported.");
+  }
+
+  
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplSichereSignatur.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplSichereSignatur.java
new file mode 100644
index 00000000..9fb5ad37
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplSichereSignatur.java
@@ -0,0 +1,347 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.starcos;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.Random;
+
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+@SuppressWarnings("restriction")
+public class STARCOSApplSichereSignatur extends STARCOSAppl {
+
+  private static byte[] FCI = new byte[] { (byte) 0x6f, (byte) 0x16,
+      (byte) 0x84, (byte) 0x08, (byte) 0xd0, (byte) 0x40, (byte) 0x00,
+      (byte) 0x00, (byte) 0x17, (byte) 0x00, (byte) 0x12, (byte) 0x01,
+      (byte) 0xa5, (byte) 0x0a, (byte) 0x53, (byte) 0x02, (byte) 0x01,
+      (byte) 0x10, (byte) 0x54, (byte) 0x04, (byte) 0x01, (byte) 0x00,
+      (byte) 0x03, (byte) 0x00 };
+  
+  protected static byte[] FID_EF_C_X509_CH_DS = new byte[] { (byte) 0xc0,
+      (byte) 0x00 };
+  
+  protected static byte[] FCI_EF_C_X509_CH_DS = new byte[] { (byte) 0x62,
+      (byte) 0x16, (byte) 0x80, (byte) 0x02, (byte) 0x04, (byte) 0xef,
+      (byte) 0x82, (byte) 0x01, (byte) 0x01, (byte) 0x83, (byte) 0x02,
+      (byte) 0xc0, (byte) 0x00, (byte) 0x88, (byte) 0x01, (byte) 0x08,
+      (byte) 0x8a, (byte) 0x01, (byte) 0x05, (byte) 0xa1, (byte) 0x03,
+      (byte) 0x8b, (byte) 0x01, (byte) 0x0e };
+  
+  protected static byte[] C_X509_CH_DS = new byte[] {
+    (byte) 0x30, (byte) 0x82, (byte) 0x04, (byte) 0xeb, (byte) 0x30, (byte) 0x82, (byte) 0x03, (byte) 0xd3, 
+    (byte) 0xa0, (byte) 0x03, (byte) 0x02, (byte) 0x01, (byte) 0x02, (byte) 0x02, (byte) 0x03, (byte) 0x02, 
+    (byte) 0x06, (byte) 0x5e, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, (byte) 0x86, 
+    (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, (byte) 0x05, 
+    (byte) 0x00, (byte) 0x30, (byte) 0x81, (byte) 0xa1, (byte) 0x31, (byte) 0x0b, (byte) 0x30, (byte) 0x09, 
+    (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, (byte) 0x13, (byte) 0x02, (byte) 0x41, 
+    (byte) 0x54, (byte) 0x31, (byte) 0x48, (byte) 0x30, (byte) 0x46, (byte) 0x06, (byte) 0x03, (byte) 0x55, 
+    (byte) 0x04, (byte) 0x0a, (byte) 0x0c, (byte) 0x3f, (byte) 0x41, (byte) 0x2d, (byte) 0x54, (byte) 0x72, 
+    (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x20, (byte) 0x47, (byte) 0x65, (byte) 0x73, (byte) 0x2e, 
+    (byte) 0x20, (byte) 0x66, (byte) 0x2e, (byte) 0x20, (byte) 0x53, (byte) 0x69, (byte) 0x63, (byte) 0x68, 
+    (byte) 0x65, (byte) 0x72, (byte) 0x68, (byte) 0x65, (byte) 0x69, (byte) 0x74, (byte) 0x73, (byte) 0x73, 
+    (byte) 0x79, (byte) 0x73, (byte) 0x74, (byte) 0x65, (byte) 0x6d, (byte) 0x65, (byte) 0x20, (byte) 0x69, 
+    (byte) 0x6d, (byte) 0x20, (byte) 0x65, (byte) 0x6c, (byte) 0x65, (byte) 0x6b, (byte) 0x74, (byte) 0x72, 
+    (byte) 0x2e, (byte) 0x20, (byte) 0x44, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x6e, (byte) 0x76, 
+    (byte) 0x65, (byte) 0x72, (byte) 0x6b, (byte) 0x65, (byte) 0x68, (byte) 0x72, (byte) 0x20, (byte) 0x47, 
+    (byte) 0x6d, (byte) 0x62, (byte) 0x48, (byte) 0x31, (byte) 0x23, (byte) 0x30, (byte) 0x21, (byte) 0x06, 
+    (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x0b, (byte) 0x0c, (byte) 0x1a, (byte) 0x61, (byte) 0x2d, 
+    (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, (byte) 0x65, 
+    (byte) 0x6d, (byte) 0x69, (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, 
+    (byte) 0x74, (byte) 0x2d, (byte) 0x53, (byte) 0x69, (byte) 0x67, (byte) 0x2d, (byte) 0x30, (byte) 0x32, 
+    (byte) 0x31, (byte) 0x23, (byte) 0x30, (byte) 0x21, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, 
+    (byte) 0x03, (byte) 0x0c, (byte) 0x1a, (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, 
+    (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, (byte) 0x65, (byte) 0x6d, (byte) 0x69, (byte) 0x75, 
+    (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x53, 
+    (byte) 0x69, (byte) 0x67, (byte) 0x2d, (byte) 0x30, (byte) 0x32, (byte) 0x30, (byte) 0x1e, (byte) 0x17, 
+    (byte) 0x0d, (byte) 0x30, (byte) 0x39, (byte) 0x30, (byte) 0x33, (byte) 0x30, (byte) 0x36, (byte) 0x31, 
+    (byte) 0x35, (byte) 0x32, (byte) 0x32, (byte) 0x33, (byte) 0x37, (byte) 0x5a, (byte) 0x17, (byte) 0x0d, 
+    (byte) 0x31, (byte) 0x32, (byte) 0x30, (byte) 0x33, (byte) 0x30, (byte) 0x36, (byte) 0x31, (byte) 0x35, 
+    (byte) 0x32, (byte) 0x32, (byte) 0x33, (byte) 0x37, (byte) 0x5a, (byte) 0x30, (byte) 0x72, (byte) 0x31, 
+    (byte) 0x0b, (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x06, 
+    (byte) 0x13, (byte) 0x02, (byte) 0x41, (byte) 0x54, (byte) 0x31, (byte) 0x20, (byte) 0x30, (byte) 0x1e, 
+    (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x03, (byte) 0x0c, (byte) 0x17, (byte) 0x58, 
+    (byte) 0x58, (byte) 0x58, (byte) 0xc5, (byte) 0x90, (byte) 0x7a, (byte) 0x67, (byte) 0xc3, (byte) 0xbc, 
+    (byte) 0x72, (byte) 0x20, (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0x54, (byte) 0xc3, (byte) 0xbc, 
+    (byte) 0x7a, (byte) 0x65, (byte) 0x6b, (byte) 0xc3, (byte) 0xa7, (byte) 0x69, (byte) 0x31, (byte) 0x15, 
+    (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x04, (byte) 0x0c, 
+    (byte) 0x0c, (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0x54, (byte) 0xc3, (byte) 0xbc, (byte) 0x7a, 
+    (byte) 0x65, (byte) 0x6b, (byte) 0xc3, (byte) 0xa7, (byte) 0x69, (byte) 0x31, (byte) 0x13, (byte) 0x30, 
+    (byte) 0x11, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x04, (byte) 0x2a, (byte) 0x0c, (byte) 0x0a, 
+    (byte) 0x58, (byte) 0x58, (byte) 0x58, (byte) 0xc5, (byte) 0x90, (byte) 0x7a, (byte) 0x67, (byte) 0xc3, 
+    (byte) 0xbc, (byte) 0x72, (byte) 0x31, (byte) 0x15, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, 
+    (byte) 0x55, (byte) 0x04, (byte) 0x05, (byte) 0x13, (byte) 0x0c, (byte) 0x37, (byte) 0x30, (byte) 0x34, 
+    (byte) 0x38, (byte) 0x37, (byte) 0x31, (byte) 0x30, (byte) 0x35, (byte) 0x30, (byte) 0x30, (byte) 0x30, 
+    (byte) 0x38, (byte) 0x30, (byte) 0x49, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x07, (byte) 0x2a, 
+    (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x02, (byte) 0x01, (byte) 0x06, (byte) 0x08, 
+    (byte) 0x2a, (byte) 0x86, (byte) 0x48, (byte) 0xce, (byte) 0x3d, (byte) 0x03, (byte) 0x01, (byte) 0x01, 
+    (byte) 0x03, (byte) 0x32, (byte) 0x00, (byte) 0x04, (byte) 0xde, (byte) 0x75, (byte) 0x22, (byte) 0x4c, 
+    (byte) 0xc4, (byte) 0xd4, (byte) 0x14, (byte) 0x16, (byte) 0x48, (byte) 0x4a, (byte) 0x65, (byte) 0x9d, 
+    (byte) 0x5a, (byte) 0x39, (byte) 0x71, (byte) 0x11, (byte) 0x1c, (byte) 0x33, (byte) 0x7e, (byte) 0x7f, 
+    (byte) 0xb4, (byte) 0x06, (byte) 0x33, (byte) 0x74, (byte) 0xe6, (byte) 0xf3, (byte) 0xc2, (byte) 0x56, 
+    (byte) 0x46, (byte) 0x18, (byte) 0x39, (byte) 0xb9, (byte) 0xc4, (byte) 0x47, (byte) 0x84, (byte) 0xf5, 
+    (byte) 0x46, (byte) 0x41, (byte) 0x60, (byte) 0x78, (byte) 0x81, (byte) 0x45, (byte) 0x4a, (byte) 0x0f, 
+    (byte) 0x67, (byte) 0x77, (byte) 0x77, (byte) 0xb2, (byte) 0xa3, (byte) 0x82, (byte) 0x02, (byte) 0x33, 
+    (byte) 0x30, (byte) 0x82, (byte) 0x02, (byte) 0x2f, (byte) 0x30, (byte) 0x13, (byte) 0x06, (byte) 0x03, 
+    (byte) 0x55, (byte) 0x1d, (byte) 0x23, (byte) 0x04, (byte) 0x0c, (byte) 0x30, (byte) 0x0a, (byte) 0x80, 
+    (byte) 0x08, (byte) 0x46, (byte) 0x06, (byte) 0x9f, (byte) 0x8e, (byte) 0x41, (byte) 0x8e, (byte) 0x15, 
+    (byte) 0xbd, (byte) 0x30, (byte) 0x27, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, 
+    (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x01, (byte) 0x03, (byte) 0x01, (byte) 0x01, (byte) 0xff, 
+    (byte) 0x04, (byte) 0x18, (byte) 0x30, (byte) 0x16, (byte) 0x30, (byte) 0x08, (byte) 0x06, (byte) 0x06, 
+    (byte) 0x04, (byte) 0x00, (byte) 0x8e, (byte) 0x46, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x0a, 
+    (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, 
+    (byte) 0x0b, (byte) 0x01, (byte) 0x30, (byte) 0x81, (byte) 0x84, (byte) 0x06, (byte) 0x08, (byte) 0x2b, 
+    (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x01, (byte) 0x01, (byte) 0x04, 
+    (byte) 0x78, (byte) 0x30, (byte) 0x76, (byte) 0x30, (byte) 0x2c, (byte) 0x06, (byte) 0x08, (byte) 0x2b, 
+    (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x30, (byte) 0x01, (byte) 0x86, 
+    (byte) 0x20, (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, 
+    (byte) 0x6f, (byte) 0x63, (byte) 0x73, (byte) 0x70, (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, 
+    (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, 
+    (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x6f, (byte) 0x63, (byte) 0x73, 
+    (byte) 0x70, (byte) 0x30, (byte) 0x46, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, (byte) 0x01, 
+    (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x30, (byte) 0x02, (byte) 0x86, (byte) 0x3a, (byte) 0x68, 
+    (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x77, (byte) 0x77, 
+    (byte) 0x77, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, 
+    (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x63, (byte) 0x65, (byte) 0x72, 
+    (byte) 0x74, (byte) 0x73, (byte) 0x2f, (byte) 0x61, (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, 
+    (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, (byte) 0x65, (byte) 0x6d, (byte) 0x69, (byte) 0x75, 
+    (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x53, 
+    (byte) 0x69, (byte) 0x67, (byte) 0x2d, (byte) 0x30, (byte) 0x32, (byte) 0x2e, (byte) 0x63, (byte) 0x72, 
+    (byte) 0x74, (byte) 0x30, (byte) 0x81, (byte) 0x92, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, 
+    (byte) 0x20, (byte) 0x04, (byte) 0x81, (byte) 0x8a, (byte) 0x30, (byte) 0x81, (byte) 0x87, (byte) 0x30, 
+    (byte) 0x7b, (byte) 0x06, (byte) 0x06, (byte) 0x2a, (byte) 0x28, (byte) 0x00, (byte) 0x11, (byte) 0x01, 
+    (byte) 0x03, (byte) 0x30, (byte) 0x71, (byte) 0x30, (byte) 0x35, (byte) 0x06, (byte) 0x08, (byte) 0x2b, 
+    (byte) 0x06, (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x02, (byte) 0x01, (byte) 0x16, 
+    (byte) 0x29, (byte) 0x68, (byte) 0x74, (byte) 0x74, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, 
+    (byte) 0x77, (byte) 0x77, (byte) 0x77, (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, 
+    (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x64, 
+    (byte) 0x6f, (byte) 0x63, (byte) 0x73, (byte) 0x2f, (byte) 0x63, (byte) 0x70, (byte) 0x2f, (byte) 0x61, 
+    (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x74, (byte) 0x65, 
+    (byte) 0x73, (byte) 0x74, (byte) 0x30, (byte) 0x38, (byte) 0x06, (byte) 0x08, (byte) 0x2b, (byte) 0x06, 
+    (byte) 0x01, (byte) 0x05, (byte) 0x05, (byte) 0x07, (byte) 0x02, (byte) 0x02, (byte) 0x30, (byte) 0x2c, 
+    (byte) 0x1a, (byte) 0x2a, (byte) 0x44, (byte) 0x69, (byte) 0x65, (byte) 0x73, (byte) 0x65, (byte) 0x73, 
+    (byte) 0x20, (byte) 0x5a, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, 
+    (byte) 0x6b, (byte) 0x61, (byte) 0x74, (byte) 0x20, (byte) 0x64, (byte) 0x69, (byte) 0x65, (byte) 0x6e, 
+    (byte) 0x74, (byte) 0x20, (byte) 0x6e, (byte) 0x75, (byte) 0x72, (byte) 0x20, (byte) 0x7a, (byte) 0x75, 
+    (byte) 0x20, (byte) 0x54, (byte) 0x65, (byte) 0x73, (byte) 0x74, (byte) 0x7a, (byte) 0x77, (byte) 0x65, 
+    (byte) 0x63, (byte) 0x6b, (byte) 0x65, (byte) 0x6e, (byte) 0x30, (byte) 0x08, (byte) 0x06, (byte) 0x06, 
+    (byte) 0x04, (byte) 0x00, (byte) 0x8b, (byte) 0x30, (byte) 0x01, (byte) 0x01, (byte) 0x30, (byte) 0x81, 
+    (byte) 0xa4, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x1f, (byte) 0x04, (byte) 0x81, 
+    (byte) 0x9c, (byte) 0x30, (byte) 0x81, (byte) 0x99, (byte) 0x30, (byte) 0x81, (byte) 0x96, (byte) 0xa0, 
+    (byte) 0x81, (byte) 0x93, (byte) 0xa0, (byte) 0x81, (byte) 0x90, (byte) 0x86, (byte) 0x81, (byte) 0x8d, 
+    (byte) 0x6c, (byte) 0x64, (byte) 0x61, (byte) 0x70, (byte) 0x3a, (byte) 0x2f, (byte) 0x2f, (byte) 0x6c, 
+    (byte) 0x64, (byte) 0x61, (byte) 0x70, (byte) 0x2d, (byte) 0x74, (byte) 0x65, (byte) 0x73, (byte) 0x74, 
+    (byte) 0x2e, (byte) 0x61, (byte) 0x2d, (byte) 0x74, (byte) 0x72, (byte) 0x75, (byte) 0x73, (byte) 0x74, 
+    (byte) 0x2e, (byte) 0x61, (byte) 0x74, (byte) 0x2f, (byte) 0x6f, (byte) 0x75, (byte) 0x3d, (byte) 0x61, 
+    (byte) 0x2d, (byte) 0x73, (byte) 0x69, (byte) 0x67, (byte) 0x6e, (byte) 0x2d, (byte) 0x50, (byte) 0x72, 
+    (byte) 0x65, (byte) 0x6d, (byte) 0x69, (byte) 0x75, (byte) 0x6d, (byte) 0x2d, (byte) 0x54, (byte) 0x65, 
+    (byte) 0x73, (byte) 0x74, (byte) 0x2d, (byte) 0x53, (byte) 0x69, (byte) 0x67, (byte) 0x2d, (byte) 0x30, 
+    (byte) 0x32, (byte) 0x2c, (byte) 0x6f, (byte) 0x3d, (byte) 0x41, (byte) 0x2d, (byte) 0x54, (byte) 0x72, 
+    (byte) 0x75, (byte) 0x73, (byte) 0x74, (byte) 0x2c, (byte) 0x63, (byte) 0x3d, (byte) 0x41, (byte) 0x54, 
+    (byte) 0x3f, (byte) 0x63, (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, 
+    (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x65, (byte) 0x72, (byte) 0x65, (byte) 0x76, (byte) 0x6f, 
+    (byte) 0x63, (byte) 0x61, (byte) 0x74, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x6c, (byte) 0x69, 
+    (byte) 0x73, (byte) 0x74, (byte) 0x3f, (byte) 0x62, (byte) 0x61, (byte) 0x73, (byte) 0x65, (byte) 0x3f, 
+    (byte) 0x6f, (byte) 0x62, (byte) 0x6a, (byte) 0x65, (byte) 0x63, (byte) 0x74, (byte) 0x63, (byte) 0x6c, 
+    (byte) 0x61, (byte) 0x73, (byte) 0x73, (byte) 0x3d, (byte) 0x65, (byte) 0x69, (byte) 0x64, (byte) 0x43, 
+    (byte) 0x65, (byte) 0x72, (byte) 0x74, (byte) 0x69, (byte) 0x66, (byte) 0x69, (byte) 0x63, (byte) 0x61, 
+    (byte) 0x74, (byte) 0x69, (byte) 0x6f, (byte) 0x6e, (byte) 0x41, (byte) 0x75, (byte) 0x74, (byte) 0x68, 
+    (byte) 0x6f, (byte) 0x72, (byte) 0x69, (byte) 0x74, (byte) 0x79, (byte) 0x30, (byte) 0x11, (byte) 0x06, 
+    (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0e, (byte) 0x04, (byte) 0x0a, (byte) 0x04, (byte) 0x08, 
+    (byte) 0x47, (byte) 0x64, (byte) 0x6e, (byte) 0xbb, (byte) 0x92, (byte) 0xa0, (byte) 0xf6, (byte) 0xf4, 
+    (byte) 0x30, (byte) 0x0e, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x0f, (byte) 0x01, 
+    (byte) 0x01, (byte) 0xff, (byte) 0x04, (byte) 0x04, (byte) 0x03, (byte) 0x02, (byte) 0x06, (byte) 0xc0, 
+    (byte) 0x30, (byte) 0x09, (byte) 0x06, (byte) 0x03, (byte) 0x55, (byte) 0x1d, (byte) 0x13, (byte) 0x04, 
+    (byte) 0x02, (byte) 0x30, (byte) 0x00, (byte) 0x30, (byte) 0x0d, (byte) 0x06, (byte) 0x09, (byte) 0x2a, 
+    (byte) 0x86, (byte) 0x48, (byte) 0x86, (byte) 0xf7, (byte) 0x0d, (byte) 0x01, (byte) 0x01, (byte) 0x05, 
+    (byte) 0x05, (byte) 0x00, (byte) 0x03, (byte) 0x82, (byte) 0x01, (byte) 0x01, (byte) 0x00, (byte) 0x06, 
+    (byte) 0x63, (byte) 0x76, (byte) 0x0a, (byte) 0xd5, (byte) 0x54, (byte) 0xfa, (byte) 0x51, (byte) 0x2a, 
+    (byte) 0xb0, (byte) 0x41, (byte) 0xdc, (byte) 0xa4, (byte) 0x9b, (byte) 0x52, (byte) 0x1c, (byte) 0x0e, 
+    (byte) 0x1d, (byte) 0x65, (byte) 0x46, (byte) 0x2b, (byte) 0xa3, (byte) 0xcd, (byte) 0xd4, (byte) 0x46, 
+    (byte) 0x36, (byte) 0x40, (byte) 0xc3, (byte) 0x49, (byte) 0xe8, (byte) 0xa4, (byte) 0xdc, (byte) 0x01, 
+    (byte) 0xde, (byte) 0x70, (byte) 0x97, (byte) 0x31, (byte) 0xb0, (byte) 0xcd, (byte) 0xdf, (byte) 0x69, 
+    (byte) 0xf8, (byte) 0xc3, (byte) 0x83, (byte) 0xee, (byte) 0xc6, (byte) 0xed, (byte) 0xe3, (byte) 0x18, 
+    (byte) 0x1a, (byte) 0x80, (byte) 0xc1, (byte) 0x30, (byte) 0xa9, (byte) 0xd6, (byte) 0xb1, (byte) 0xb8, 
+    (byte) 0xa8, (byte) 0xe0, (byte) 0x3d, (byte) 0xb1, (byte) 0x8e, (byte) 0x2c, (byte) 0xc9, (byte) 0xa6, 
+    (byte) 0x05, (byte) 0x6e, (byte) 0x4a, (byte) 0xd2, (byte) 0xb2, (byte) 0x03, (byte) 0xa4, (byte) 0x2b, 
+    (byte) 0xa2, (byte) 0xad, (byte) 0xad, (byte) 0xe5, (byte) 0xba, (byte) 0x0d, (byte) 0x54, (byte) 0x8d, 
+    (byte) 0x92, (byte) 0x51, (byte) 0xda, (byte) 0x58, (byte) 0xed, (byte) 0xd3, (byte) 0x8d, (byte) 0x61, 
+    (byte) 0xa1, (byte) 0xfc, (byte) 0x49, (byte) 0xf6, (byte) 0x80, (byte) 0xdb, (byte) 0x65, (byte) 0x92, 
+    (byte) 0xe0, (byte) 0xd5, (byte) 0x23, (byte) 0x69, (byte) 0x0f, (byte) 0x38, (byte) 0x11, (byte) 0x61, 
+    (byte) 0x1e, (byte) 0xcd, (byte) 0xa2, (byte) 0x8e, (byte) 0x68, (byte) 0xec, (byte) 0x70, (byte) 0xfb, 
+    (byte) 0x55, (byte) 0x95, (byte) 0xcb, (byte) 0xb4, (byte) 0x18, (byte) 0x6b, (byte) 0x3a, (byte) 0x25, 
+    (byte) 0x4a, (byte) 0x3e, (byte) 0x07, (byte) 0xb0, (byte) 0x18, (byte) 0x26, (byte) 0x51, (byte) 0x39, 
+    (byte) 0x46, (byte) 0xfa, (byte) 0xe2, (byte) 0xae, (byte) 0xe6, (byte) 0x1c, (byte) 0xd2, (byte) 0xcb, 
+    (byte) 0x28, (byte) 0xa1, (byte) 0x8b, (byte) 0x56, (byte) 0xbb, (byte) 0xe9, (byte) 0x6c, (byte) 0xf7, 
+    (byte) 0x0b, (byte) 0x84, (byte) 0xdd, (byte) 0x7f, (byte) 0x64, (byte) 0x8b, (byte) 0x43, (byte) 0x93, 
+    (byte) 0x62, (byte) 0x39, (byte) 0xfb, (byte) 0x91, (byte) 0xfa, (byte) 0x3a, (byte) 0x57, (byte) 0x56, 
+    (byte) 0x4a, (byte) 0xaa, (byte) 0x99, (byte) 0x1e, (byte) 0x9b, (byte) 0xcc, (byte) 0xa4, (byte) 0xc0, 
+    (byte) 0x18, (byte) 0x46, (byte) 0xae, (byte) 0x15, (byte) 0x24, (byte) 0xf5, (byte) 0xf3, (byte) 0xe6, 
+    (byte) 0x36, (byte) 0x55, (byte) 0x29, (byte) 0xa8, (byte) 0xa9, (byte) 0xaf, (byte) 0x7b, (byte) 0x44, 
+    (byte) 0x19, (byte) 0xda, (byte) 0x66, (byte) 0x4d, (byte) 0x11, (byte) 0x89, (byte) 0x28, (byte) 0x34, 
+    (byte) 0x01, (byte) 0x15, (byte) 0x24, (byte) 0x93, (byte) 0x43, (byte) 0x6a, (byte) 0x8f, (byte) 0xe4, 
+    (byte) 0x54, (byte) 0x3a, (byte) 0x3d, (byte) 0x9b, (byte) 0x2f, (byte) 0xc3, (byte) 0xdb, (byte) 0x7e, 
+    (byte) 0x5e, (byte) 0x12, (byte) 0x00, (byte) 0xaa, (byte) 0xe7, (byte) 0xc1, (byte) 0x82, (byte) 0x1c, 
+    (byte) 0x1d, (byte) 0x1d, (byte) 0x23, (byte) 0x1d, (byte) 0xa3, (byte) 0xcc, (byte) 0x59, (byte) 0xe4, 
+    (byte) 0x7a, (byte) 0xf0, (byte) 0x14, (byte) 0x17, (byte) 0xfb, (byte) 0x96, (byte) 0x90, (byte) 0xc1, 
+    (byte) 0xc0, (byte) 0xde, (byte) 0xdb, (byte) 0x91, (byte) 0xfb, (byte) 0x49, (byte) 0x39, (byte) 0x70, 
+    (byte) 0x76, (byte) 0x2f, (byte) 0x7b, (byte) 0x22, (byte) 0xcd, (byte) 0x35, (byte) 0xcb, (byte) 0xed, 
+    (byte) 0x8f, (byte) 0xb3, (byte) 0x66, (byte) 0xae, (byte) 0x95, (byte) 0x49, (byte) 0x75
+  };
+  
+  protected static final int KID_PIN_SS = 0x81;
+
+  protected byte[] EF_C_X509_CH_DS = new byte[2000];
+  
+  public STARCOSApplSichereSignatur(STARCOSCardChannelEmul channel) {
+    super(channel);
+    // Files
+    System.arraycopy(C_X509_CH_DS, 0, EF_C_X509_CH_DS, 0, C_X509_CH_DS.length);
+    putFile(new File(FID_EF_C_X509_CH_DS, EF_C_X509_CH_DS, FCI_EF_C_X509_CH_DS));
+    
+    // PINs
+    pins.put(KID_PIN_SS, new PIN(new byte[] { (byte) 0x24, (byte) 0x12,
+        (byte) 0x34, (byte) 0x56, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+        (byte) 0xFF }, KID_PIN_SS, 3));
+  }
+
+  @Override
+  public byte[] getAID() {
+    return AID_SichereSignatur;
+  }
+
+  @Override
+  public byte[] getFID() {
+    return FID_SichereSignatur;
+  }
+
+  @Override
+  public byte[] getFCI() {
+    return FCI;
+  }
+
+  @Override
+  public ResponseAPDU cmdPERFORM_SECURITY_OPERATION(CommandAPDU command, CardChannelEmul channel) throws CardException {
+    
+    checkINS(command, 0x2A);
+  
+    if (command.getP1() == 0x90 && command.getP2() == 0xA0) {
+      
+      // HASH
+      byte[] data = command.getData();
+      if (data[0] == (byte) 0x90 && data[1] == (byte) 0x14) {
+        hash = Arrays.copyOfRange(data, 2, data.length);
+        return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+      } else {
+        throw new CardException("HASH command only supports complete hash.");
+      }
+      
+    } else if (command.getP1() == 0x9E && command.getP2() == 0x9A) {
+      
+      // COMPUTE DIGITAL SIGNATURE
+      if (securityEnv == null) {
+        // No security environment
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+      }
+      if (hash == null) {
+        // Command sequence not correct
+        return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x03});
+      }
+      if (hash.length != 20) {
+        // Invalid hash length
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x80});
+      }
+      if (pins.get(KID_PIN_SS).state != PIN.STATE_PIN_VERIFIED) {
+        // Security Status not satisfied
+        return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+      }
+      
+      byte[] signature = new byte[48]; 
+      
+      // TODO replace by signature creation
+      Random random = new Random();
+      random.nextBytes(signature);
+      
+      byte[] response = new byte[signature.length + 2];
+      System.arraycopy(signature, 0, response, 0, signature.length);
+      response[signature.length] = (byte) 0x90;
+      response[signature.length + 1] = (byte) 0x00;
+      
+      hash = null;
+      pins.get(KID_PIN_SS).state = PIN.STATE_RESET;
+      
+      return new ResponseAPDU(response);
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x00});
+    }
+    
+  }
+  
+  public void clearCert() {
+    Arrays.fill(EF_C_X509_CH_DS, (byte) 0x00);
+  }
+
+  @Override
+  public ResponseAPDU cmdMANAGE_SECURITY_ENVIRONMENT(CommandAPDU command, CardChannelEmul channel) throws CardException {
+
+    checkINS(command, 0x22);
+
+    switch (command.getP2()) {
+    case 0xA4:
+      switch (command.getP1()) {
+      case 0x41:
+        // INTERNAL AUTHENTICATE
+      case 0x81:
+        // EXTERNAL AUTHENTICATE
+      }
+    case 0xB6:
+      switch (command.getP1()) {
+      case 0x41: {
+        // PSO - COMPUTE DIGITAL SIGNATURE
+        byte[] dst = new byte[] { (byte) 0x84, (byte) 0x03, (byte) 0x80,
+            (byte) 0x02, (byte) 0x00, (byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10};
+        if (Arrays.equals(dst, command.getData())) {
+          securityEnv = command.getData();
+          return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x80});
+        }
+      }
+      case 0x81:
+        // PSO - VERIFY DGITAL SIGNATURE
+      }
+    case 0xB8:
+      switch (command.getP1()) {
+      case 0x41:
+        // PSO � DECIPHER
+      case 0x81:
+        // PSO � ENCIPHER
+      }
+    default:
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x81});
+    }
+  
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardChannelEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardChannelEmul.java
new file mode 100644
index 00000000..89030894
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardChannelEmul.java
@@ -0,0 +1,375 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.starcos;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.HashMap;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.AbstractAppl;
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+@SuppressWarnings("restriction")
+public class STARCOSCardChannelEmul extends CardChannelEmul {
+
+  public static final int KID_PIN_Glob = 0x01;
+  
+  /**
+   * 
+   */
+  protected CardEmul cardEmul;
+  
+  public final HashMap<Integer, PIN> globalPins = new HashMap<Integer, PIN>();
+
+  public STARCOSCardChannelEmul(CardEmul cardEmul) {
+    this.cardEmul = cardEmul;
+    globalPins.put(KID_PIN_Glob, new PIN(new byte[] { (byte) 0x24, (byte) 0x00,
+        (byte) 0x00, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+        (byte) 0xFF }, KID_PIN_Glob, 10));
+ }
+
+  @Override
+  public Card getCard() {
+    return cardEmul;
+  }
+
+  protected ResponseAPDU cmdSELECT(CommandAPDU command) throws CardException {
+  
+    byte[] fid = command.getData();
+    
+    switch (command.getP1()) {
+    case 0x00: // MF
+      if (fid.length !=0) {
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x80}); 
+      } else {
+        currentFile = null;
+        currentAppl = null;
+        return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+      }
+
+    case 0x01: // Lower-level DF
+      throw new CardException("Not supported.");
+      
+    case 0x02: // EF in current DF
+      if (currentAppl != null) {
+        if (command.getP2() != 0x04) {
+          throw new CardException("Not supported.");
+        }
+        for (File file : currentAppl.getFiles()) {
+          if (Arrays.equals(fid, file.fid)) {
+            currentFile = file;
+            byte[] response = new byte[file.fcx.length + 2];
+            System.arraycopy(file.fcx, 0, response, 0, file.fcx.length);
+            response[file.fcx.length] = (byte) 0x90;
+            response[file.fcx.length + 1] = (byte) 0x00;
+            return new ResponseAPDU(response);
+          }
+        }
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x82});
+      } else {
+        throw new CardException("Not supported.");
+      }
+      
+    case 0x03: // Higher-level DF
+      throw new CardException("Not supported.");
+      
+    case 0x04: // Selection by DF name
+      AbstractAppl appl = cardEmul.getApplication(fid);
+      if (appl != null) {
+        if (command.getP2() != 0x00) {
+          throw new CardException("Not supported.");
+        }
+        if (currentAppl != null && currentAppl != appl) {
+          currentAppl.leaveApplContext();
+          currentFile = null;
+        }
+        currentAppl = appl;
+
+        byte[] fci = currentAppl.getFCI();
+        byte[] response = new byte[fci.length + 2];
+        System.arraycopy(fci, 0, response, 0, fci.length);
+        response[fci.length] = (byte) 0x90;
+        response[fci.length + 1] = (byte) 0x00;
+        return new ResponseAPDU(response);
+      }
+      
+    default:
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x86});
+    }
+    
+  }
+  
+  protected ResponseAPDU cmdREAD_BINARY(CommandAPDU command) throws CardException {
+
+    if (command.getINS() != 0xB0) {
+      throw new IllegalArgumentException("INS has to be 0xB0.");
+    }
+
+    if (currentFile == null) {
+      return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x86}); 
+    }
+    
+    if ((command.getP1() & 0x80) > 0) {
+      throw new CardException("Not implemented.");
+    }
+    
+    int offset = command.getP2() + (command.getP1() << 8);
+    if (offset > currentFile.file.length) {
+      // Wrong length
+      return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+    }
+    
+    if (command.getNe() == 0) {
+      throw new CardException("Not implemented.");
+    }
+    
+    if (currentFile.kid != -1) {
+      PIN pin;
+      if ((currentFile.kid & 0x80) > 0) {
+        if (currentAppl == null
+            || (pin = currentAppl.pins.get(currentFile.kid)) == null
+            || pin.state != PIN.STATE_PIN_VERIFIED) {
+          return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+        }
+      } else {
+        if ((pin = globalPins.get(currentFile.kid)) == null
+          || pin.state != PIN.STATE_PIN_VERIFIED) {
+          return new ResponseAPDU(new byte[] {(byte) 0x69, (byte) 0x82});
+        }
+      }
+    }
+    
+    if (command.getNe() == 256 || command.getNe() <= currentFile.file.length - offset) {
+      int len = Math.min(command.getNe(), currentFile.file.length - offset);
+      byte[] response = new byte[len + 2];
+      System.arraycopy(currentFile.file, offset, response, 0, len);
+      response[len] = (byte) 0x90;
+      response[len + 1] = (byte) 0x00;
+      return new ResponseAPDU(response);
+    } else if (command.getNe() >= currentFile.file.length - offset) {
+      return new ResponseAPDU(new byte[] {(byte) 0x62, (byte) 0x82});
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+    }
+    
+  }
+
+  
+  @Override
+  public ResponseAPDU transmit(CommandAPDU command) throws CardException {
+  
+    if (command.getCLA() == 0x00) {
+  
+      switch (command.getINS()) {
+  
+      // SELECT
+      case 0xA4:
+        return cmdSELECT(command);
+      
+      // READ BINARY
+      case 0xB0:
+        return cmdREAD_BINARY(command);
+      
+      // VERIFY
+      case 0x20:
+        return cmdVERIFY(command);
+      
+      // MANAGE SECURITY ENVIRONMENT
+      case 0x22: {
+        if (currentAppl != null) {
+          return currentAppl.cmdMANAGE_SECURITY_ENVIRONMENT(command, this);
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05}); 
+        }
+      }
+      
+      // CHANGE REFERENCE DATA
+      case 0x24: {
+        return cmdCHANGE_REFERENCE_DATA(command);
+      }
+      
+      // PERFORM SECURITY OPERATION
+      case 0x2A: {
+        if (currentAppl != null) {
+          return currentAppl.cmdPERFORM_SECURITY_OPERATION(command, this);
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+        }
+      }
+  
+      // INTERNAL AUTHENTICATE
+      case 0x88: {
+        if (currentAppl != null) {
+          return currentAppl.cmdINTERNAL_AUTHENTICATE(command, this);
+        } else {
+          return new ResponseAPDU(new byte[] {(byte) 0x6F, (byte) 0x05});
+        }
+      }
+      
+      default:
+        return new ResponseAPDU(new byte[] { (byte) 0x6D, (byte) 0x00});
+      }
+  
+    } else {
+      return new ResponseAPDU(new byte[] { (byte) 0x6E, (byte) 0x00}); 
+    }
+  
+  }
+
+  protected ResponseAPDU verifyPin(int kid, byte[] reference) {
+    
+    PIN pin;
+    if ((kid & 0x80) > 0 && currentAppl != null) {
+      pin = currentAppl.pins.get(kid);
+    } else {
+      pin = globalPins.get(kid);
+    }
+    
+    if (pin != null) {
+  
+      if (reference.length == 0) {
+        return new ResponseAPDU(new byte[] { (byte) 0x63, (byte) (pin.kfpc | 0xC0)});
+      }
+      
+      if (reference.length != 8) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      }
+      
+      if (Arrays.equals(reference, pin.pin)) {
+        switch (pin.state) {
+        case PIN.STATE_PIN_BLOCKED:
+          return new ResponseAPDU(new byte[] { (byte) 0x69, (byte) 0x83 });
+  
+        case PIN.STATE_RESET:
+          pin.state = PIN.STATE_PIN_VERIFIED;
+          
+        default:
+          pin.kfpc = 10;
+          return new ResponseAPDU(new byte[] { (byte) 0x90, (byte) 0x00 });
+        }
+      } else {
+        switch (pin.state) {
+        case PIN.STATE_PIN_BLOCKED:
+          return new ResponseAPDU(new byte[] { (byte) 0x69, (byte) 0x83 });
+        
+        default:
+          if (--pin.kfpc > 0) {
+            return new ResponseAPDU(new byte[] { (byte) 0x63, (byte) (pin.kfpc | 0xC0)});
+          } else {
+            pin.state = PIN.STATE_PIN_BLOCKED;
+            return new ResponseAPDU(new byte[] { (byte) 0x69, (byte) 0x83 });
+          }
+        }
+        
+      }
+      
+    } else {
+      return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x00});
+    }
+    
+  }
+
+  protected ResponseAPDU cmdVERIFY(CommandAPDU command) throws CardException {
+    
+    if (command.getINS() != 0x20) {
+      throw new IllegalArgumentException("INS has to be 0x20.");
+    }
+    
+    if (command.getP1() != 00) {
+      return new ResponseAPDU(new byte[] {(byte) 0x6B, (byte) 0x00});
+    }
+    
+    return verifyPin(command.getP2(), command.getData());
+  
+  }
+
+  protected ResponseAPDU cmdCHANGE_REFERENCE_DATA(CommandAPDU command) {
+    
+    if (command.getINS() != 0x24) {
+      throw new IllegalArgumentException("INS has to be 0x24.");
+    }
+
+    byte[] data = command.getData();
+
+    ResponseAPDU response;
+    
+    if (command.getP1() == 0x01) {
+    
+      if (data.length != 8) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      }
+      
+      response = verifyPin(0xFF & command.getP2(), data);
+
+    } else if (command.getP1() == 0x00) {
+      
+      if (data.length != 16) {
+        return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
+      }
+  
+      response = verifyPin(0xFF & command.getP2(), Arrays.copyOf(data, 8));
+    
+    } else {
+      return new ResponseAPDU(new byte[] { (byte) 0x6A, (byte) 0x81 });
+    }
+     
+    if (response.getSW() == 0x9000) {
+      PIN pin;
+      if (currentAppl != null) {
+        pin = currentAppl.pins.get(command.getP2());
+      } else {
+        pin = globalPins.get(command.getP2());
+      }
+      pin.pin = Arrays.copyOfRange(data, 8, 16);
+    }
+
+    return response;
+    
+  }
+  
+  public void setPin(int kid, char[] value) {
+    PIN pin = globalPins.get(kid);
+    if (pin != null) {
+      if (value == null) {
+        pin.pin = null;
+      } else {
+        byte[] b = new byte[8];
+        b[0] = (byte) (0x20 | value.length);
+        for(int i = 1, j = 0; i < b.length; i++) {
+          int h = ((j < value.length) 
+                  ? Character.digit(value[j++], 10) 
+                  : 0x0F);
+          int l = ((j < value.length) 
+                  ? Character.digit(value[j++], 10) 
+                  : 0x0F);
+          b[i] = (byte) ((h << 4) | l);
+        }
+        pin.pin = b;
+      }
+    }
+  }
+
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardEmul.java
new file mode 100644
index 00000000..7b2f3fbe
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardEmul.java
@@ -0,0 +1,50 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.starcos;
+
+
+import javax.smartcardio.ATR;
+
+import at.gv.egiz.smcc.CardChannelEmul;
+import at.gv.egiz.smcc.CardEmul;
+
+@SuppressWarnings("restriction")
+public class STARCOSCardEmul extends CardEmul {
+  
+  protected static ATR ATR = new ATR(new byte[] {
+      (byte) 0x3b, (byte) 0xbd, (byte) 0x18, (byte) 0x00, (byte) 0x81, (byte) 0x31, (byte) 0xfe, (byte) 0x45, 
+      (byte) 0x80, (byte) 0x51, (byte) 0x02, (byte) 0x67, (byte) 0x05, (byte) 0x18, (byte) 0xb1, (byte) 0x02, 
+      (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x81, (byte) 0x05, (byte) 0x31
+  });
+  
+  public STARCOSCardEmul() {
+    applications.add(new STARCOSApplSichereSignatur((STARCOSCardChannelEmul) channel));
+    applications.add(new STARCOSApplInfobox((STARCOSCardChannelEmul) channel));
+    applications.add(new STARCOSApplGewoehnlicheSignatur((STARCOSCardChannelEmul) channel));
+  }
+
+  @Override
+  public ATR getATR() {
+    return ATR;
+  }
+
+  @Override
+  protected CardChannelEmul newCardChannel(CardEmul cardEmul) {
+    return new STARCOSCardChannelEmul(this);
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
new file mode 100644
index 00000000..0fb4f62d
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
@@ -0,0 +1,297 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.starcos;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
+import javax.smartcardio.CardChannel;
+
+import org.junit.Test;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.CardNotSupportedException;
+import at.gv.egiz.smcc.CardTerminalEmul;
+import at.gv.egiz.smcc.CardTest;
+import at.gv.egiz.smcc.LockedException;
+import at.gv.egiz.smcc.NotActivatedException;
+import at.gv.egiz.smcc.PINFormatException;
+import at.gv.egiz.smcc.PINMgmtSignatureCard;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.STARCOSCard;
+import at.gv.egiz.smcc.SignatureCard;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.SignatureCardFactory;
+import at.gv.egiz.smcc.CardTest.TestChangePINProvider;
+import at.gv.egiz.smcc.CardTest.TestPINProvider;
+import at.gv.egiz.smcc.SignatureCard.KeyboxName;
+import at.gv.egiz.smcc.acos.A03ApplDEC;
+import at.gv.egiz.smcc.acos.A04ApplDEC;
+import at.gv.egiz.smcc.acos.A04ApplSIG;
+import at.gv.egiz.smcc.acos.ACOSAppl;
+import at.gv.egiz.smcc.acos.ACOSApplDEC;
+import at.gv.egiz.smcc.acos.ACOSApplSIG;
+
+public class STARCOSCardTest extends CardTest {
+
+  @Override
+  protected SignatureCard createSignatureCard()
+      throws CardNotSupportedException {
+    SignatureCardFactory factory = SignatureCardFactory.getInstance();
+    STARCOSCardEmul card = new STARCOSCardEmul();
+    SignatureCard signatureCard = factory.createSignatureCard(card,
+        new CardTerminalEmul(card));
+    assertTrue(signatureCard instanceof PINMgmtSignatureCard);
+    return signatureCard;
+  }
+  
+  @Test
+  public void testGetInfoboxIdentityLinkEmpty() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    char[] pin = "0000".toCharArray();
+    
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSApplInfobox appl = (STARCOSApplInfobox) card.getApplication(STARCOSAppl.AID_Infobox);
+    appl.clearInfobox();
+
+    byte[] idlink = signatureCard.getInfobox("IdentityLink",
+        new TestPINProvider(pin), null);
+    assertNull(idlink);
+
+  }
+
+  @Test(expected = SignatureCardException.class)
+  public void testGetInfoboxIdentityInvalid() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    char[] pin = "0000".toCharArray();
+    
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSApplInfobox appl = (STARCOSApplInfobox) card.getApplication(STARCOSAppl.AID_Infobox);
+    appl.setInfoboxHeader((byte) 0xFF);
+
+    signatureCard.getInfobox("IdentityLink", new TestPINProvider(pin), null);
+
+  }
+ 
+  @Test
+  public void testGetCerts() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    SignatureCard signatureCard = createSignatureCard();
+
+    byte[] cert;
+
+    cert = signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
+    assertNotNull(cert);
+    assertTrue(Arrays.equals(cert, STARCOSApplSichereSignatur.C_X509_CH_DS));
+
+    cert = signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
+    assertNotNull(cert);
+    assertTrue(Arrays.equals(cert, STARCOSApplGewoehnlicheSignatur.C_X509_CH_AUT));
+
+  }
+
+  @Test(expected = NotActivatedException.class)
+  public void testGetDSCertEmpty() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
+    appl.clearCert();
+
+    signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
+
+  }
+
+  @Test(expected = NotActivatedException.class)
+  public void testGetAUTCertEmpty() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException {
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSApplGewoehnlicheSignatur appl = (STARCOSApplGewoehnlicheSignatur) card.getApplication(STARCOSApplGewoehnlicheSignatur.AID_GewoehnlicheSignatur);
+    appl.clearCert();
+
+    signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
+
+  }
+  
+  @Test
+  public void testSignSichereSignatur() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    char[] pin = "123456".toCharArray();
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
+    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, pin);
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    byte[] signature = signatureCard.createSignature(hash,
+        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new TestPINProvider(pin));
+
+    assertNotNull(signature);
+
+  }
+
+  @Test
+  public void testSignGewoehnlicheSignatur() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    char[] pin = "1234".toCharArray();
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
+    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, pin);
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    byte[] signature = signatureCard.createSignature(hash,
+        KeyboxName.CERITIFIED_KEYPAIR, new TestPINProvider(pin));
+
+    assertNotNull(signature);
+
+  }
+  
+  @Test(expected = LockedException.class)
+  public void testSignSichereSignaturInvalidPin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    SignatureCard signatureCard = createSignatureCard();
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
+
+    signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+        pinProvider);
+
+  }
+
+  @Test(expected = LockedException.class)
+  public void testSignGewoehnlicheSignaturInvalidPin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    SignatureCard signatureCard = createSignatureCard();
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    TestPINProvider pinProvider = new TestPINProvider("1234".toCharArray());
+
+    signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
+        pinProvider);
+
+  }
+
+  @Test(expected = LockedException.class)
+  public void testSignSichereSignaturBlockedPin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
+    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, null);
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
+    assertTrue(pinProvider.getProvided() <= 0);
+
+    signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+        pinProvider);
+
+  }
+
+  @Test(expected = LockedException.class)
+  public void testSignGewoehnlicheSignaturBlockedPin() throws SignatureCardException,
+      InterruptedException, CardNotSupportedException,
+      NoSuchAlgorithmException, UnsupportedEncodingException {
+
+    SignatureCard signatureCard = createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
+    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, null);
+
+    MessageDigest md = MessageDigest.getInstance("SHA-1");
+    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
+
+    TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
+
+    signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
+        pinProvider);
+
+  }
+  
+  @Test
+  public void testChangePin() throws CardNotSupportedException,
+      LockedException, NotActivatedException, CancelledException,
+      PINFormatException, SignatureCardException, InterruptedException {
+
+    char[] defaultPin = "123456".toCharArray();
+
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
+    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, defaultPin);
+    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
+    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, defaultPin);
+    
+    for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
+
+      char[] pin = defaultPin;
+
+      for (int i = pinSpec.getMinLength(); i <= pinSpec.getMaxLength(); i++) {
+        signatureCard.verifyPIN(pinSpec, new TestPINProvider(pin));
+        char[] newPin = new char[i];
+        Arrays.fill(newPin, '0');
+        signatureCard
+            .changePIN(pinSpec, new TestChangePINProvider(pin, newPin));
+        signatureCard.verifyPIN(pinSpec, new TestPINProvider(newPin));
+        pin = newPin;
+      }
+
+    }
+
+  }
+
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/util/ISO7816UtilsTest.java b/smcc/src/test/java/at/gv/egiz/smcc/util/ISO7816UtilsTest.java
new file mode 100644
index 00000000..679f2c02
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/util/ISO7816UtilsTest.java
@@ -0,0 +1,175 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.util;
+
+import java.util.Arrays;
+
+import javax.smartcardio.CommandAPDU;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+
+import at.gv.egiz.smcc.VerifyAPDUSpec;
+import at.gv.egiz.smcc.util.ISO7816Utils;
+import static org.junit.Assert.*;
+
+public class ISO7816UtilsTest {
+  
+  @Test
+  public void testFormatPIN() {
+    
+    formatPIN(VerifyAPDUSpec.PIN_FORMAT_BINARY,
+        VerifyAPDUSpec.PIN_JUSTIFICATION_LEFT, 7, "1234",
+        new byte[] {
+        (byte) 0x01, (byte) 0x02, (byte) 0x03, (byte) 0x04, (byte) 0x00, (byte) 0x00, (byte) 0x00
+        },
+        new byte[] {
+        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x00, (byte) 0x00, (byte) 0x00
+        }
+    );
+
+    formatPIN(VerifyAPDUSpec.PIN_FORMAT_BINARY,
+        VerifyAPDUSpec.PIN_JUSTIFICATION_RIGHT, 7, "12345",
+        new byte[] {
+        (byte) 0x00, (byte) 0x00, (byte) 0x05, (byte) 0x04, (byte) 0x03, (byte) 0x02, (byte) 0x01
+        },
+        new byte[] {
+        (byte) 0x00, (byte) 0x00, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff
+        }
+    );
+
+    formatPIN(VerifyAPDUSpec.PIN_FORMAT_BCD,
+        VerifyAPDUSpec.PIN_JUSTIFICATION_LEFT, 7, "12345",
+        new byte[] {
+        (byte) 0x12, (byte) 0x34, (byte) 0x50, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00
+        },
+        new byte[] {
+        (byte) 0xff, (byte) 0xff, (byte) 0xf0, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00
+        }
+    );
+
+    formatPIN(VerifyAPDUSpec.PIN_FORMAT_BCD,
+        VerifyAPDUSpec.PIN_JUSTIFICATION_RIGHT, 7, "1234567",
+        new byte[] {
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x07, (byte) 0x65, (byte) 0x43, (byte) 0x21
+        },
+        new byte[] {
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x0f, (byte) 0xff, (byte) 0xff, (byte) 0xff
+        }
+    );
+
+    formatPIN(VerifyAPDUSpec.PIN_FORMAT_ASCII,
+        VerifyAPDUSpec.PIN_JUSTIFICATION_LEFT, 7, "1234",
+        new byte[] {
+        (byte) 0x31, (byte) 0x32, (byte) 0x33, (byte) 0x34, (byte) 0x00, (byte) 0x00, (byte) 0x00
+        },
+        new byte[] {
+        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x00, (byte) 0x00, (byte) 0x00
+        }
+    );
+
+    formatPIN(VerifyAPDUSpec.PIN_FORMAT_ASCII,
+        VerifyAPDUSpec.PIN_JUSTIFICATION_RIGHT, 7, "12345",
+        new byte[] {
+        (byte) 0x00, (byte) 0x00, (byte) 0x35, (byte) 0x34, (byte) 0x33, (byte) 0x32, (byte) 0x31
+        },
+        new byte[] {
+        (byte) 0x00, (byte) 0x00, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff
+        }
+    );
+
+    
+  }
+  
+  private void formatPIN(int pinFormat, int pinJusitification, int pinLength, String pin, byte[] rfpin, byte[] rmask) {
+
+    byte[] fpin = new byte[pinLength];
+    byte[] mask = new byte[pinLength];
+    
+    ISO7816Utils.formatPIN(pinFormat, pinJusitification, fpin, mask, pin.toCharArray());
+    
+//    System.out.println(toString(fpin));
+//    System.out.println(toString(mask));
+    
+    assertTrue(Arrays.equals(fpin, rfpin));
+    assertTrue(Arrays.equals(mask, rmask));
+    
+  }
+  
+  @Test
+  public void testCreateVerifyAPDU() {
+    
+    VerifyAPDUSpec verifyAPDUSpec;
+    CommandAPDU apdu;
+    byte[] ref;
+    
+    verifyAPDUSpec = new VerifyAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x20, (byte) 0x00, (byte) 0x80, (byte) 0x08,
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
+        1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4);
+    
+    apdu = ISO7816Utils.createVerifyAPDU(verifyAPDUSpec, "1234".toCharArray());
+    
+//    System.out.println(toString(apdu.getBytes()));
+    
+    ref = new byte[] { (byte) 0x00, (byte) 0x20, (byte) 0x00, (byte) 0x80,
+        (byte) 0x08, (byte) 0x24, (byte) 0x12, (byte) 0x34, (byte) 0xff,
+        (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff };
+    
+    assertTrue(Arrays.equals(apdu.getBytes(), ref));
+    
+    ref = new byte[] { (byte) 0x00, (byte) 0x20, (byte) 0x00, (byte) 0x80,
+        (byte) 0x08, (byte) 0x31, (byte) 0x32, (byte) 0x33, (byte) 0x34,
+        (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 };
+    
+    verifyAPDUSpec = new VerifyAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x20, (byte) 0x00, (byte) 0x80, (byte) 0x08,
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 }, 
+        0, VerifyAPDUSpec.PIN_FORMAT_ASCII, 8);
+
+    apdu = ISO7816Utils.createVerifyAPDU(verifyAPDUSpec, "1234".toCharArray());
+
+//    System.out.println(toString(apdu.getBytes()));
+    
+    assertTrue(Arrays.equals(apdu.getBytes(), ref));
+
+  }
+  
+  private String toString(byte[] b) {
+    StringBuffer sb = new StringBuffer();
+    if (b != null && b.length > 0) {
+      sb.append(Integer.toHexString((b[0] & 240) >> 4));
+      sb.append(Integer.toHexString(b[0] & 15));
+    }
+    for (int i = 1; i < b.length; i++) {
+      sb.append(':');
+      sb.append(Integer.toHexString((b[i] & 240) >> 4));
+      sb.append(Integer.toHexString(b[i] & 15));
+    }
+    return sb.toString();
+  }
+
+
+}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
index eeb97290..32e990c5 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
@@ -53,8 +53,8 @@ public class InfoBoxReadRequestHandler extends AbstractRequestHandler {
                   .getCardPINProvider(),
                   infoBox.getDomainIdentifier());
           if (resp == null) {
-            log.info("Got null as result->user cancelled");
-            return new ErrorResponse(6001);
+            log.info("Infobox doesn't contain any data. Assume card is not activated.");
+            throw new NotActivatedException();
           } else {
             try {
               resp = DomainIdConverter.convertDomainId(resp, infoBox
diff --git a/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java b/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
index 1c1cb833..36880e68 100644
--- a/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
+++ b/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
@@ -1,6 +1,5 @@
 package at.gv.egiz.smcc;
 
-import at.gv.egiz.smcc.ccid.CCID;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
@@ -10,17 +9,18 @@ import javax.smartcardio.CardTerminal;
 
 import org.junit.Assert;
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.Test;
 
 import at.gv.egiz.bku.gui.BKUGUIFacade;
 import at.gv.egiz.bku.smccstal.AbstractSMCCSTAL;
 import at.gv.egiz.bku.smccstal.SMCCSTALRequestHandler;
+import at.gv.egiz.smcc.ccid.CCID;
 import at.gv.egiz.stal.ErrorResponse;
 import at.gv.egiz.stal.InfoboxReadRequest;
 import at.gv.egiz.stal.InfoboxReadResponse;
 import at.gv.egiz.stal.STALRequest;
 import at.gv.egiz.stal.STALResponse;
-import org.junit.Ignore;
 
 public class AbstractSMCCSTALTest extends AbstractSMCCSTAL implements
     SMCCSTALRequestHandler {
@@ -87,32 +87,11 @@ public class AbstractSMCCSTALTest extends AbstractSMCCSTAL implements
       
     }
 
-
-      @Override
-      public List<PINSpec> getPINSpecs() {
-        return new ArrayList<PINSpec>();
-      }
-
-      @Override
-      public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider) {
-      }
-
-      @Override
-      public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider) {
-      }
-
-      @Override
-      public void activatePIN(PINSpec pinSpec, PINProvider pinProvider) {
-      }
-
-      @Override
-      public void unblockPIN(PINSpec pinSpec, PINProvider pukProvider) {
-      }
-
-      @Override
-      public CCID getReader() {
-        throw new UnsupportedOperationException("Not supported yet.");
-      }
+    @Override
+    public CCID getReader() {
+      // TODO Auto-generated method stub
+      return null;
+    }
 
    };
     return false;
-- 
cgit v1.2.3


From 974087a04d2fb9b03a72b66c090afe65e5a818dc Mon Sep 17 00:00:00 2001
From: clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Thu, 6 Aug 2009 14:01:01 +0000
Subject: FIX [462] PINMgmtSignatureCard changePIN silently ignores wrong pin
 entry [63cX]

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@414 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 smcc/src/test/java/at/gv/egiz/smcc/CardTest.java   | 67 ++++++++++++++++++++++
 .../at/gv/egiz/smcc/starcos/STARCOSCardTest.java   | 57 +++++++++++++++++-
 2 files changed, 123 insertions(+), 1 deletion(-)

(limited to 'smcc/src/test/java')

diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
index 298e26a5..f72820e1 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
@@ -76,6 +76,73 @@ public abstract class CardTest {
   
   }
 
+  public class TestWrongPINProvider implements PINProvider {
+
+    int provided = 0;
+    int numWrongTries = 0;
+
+    char[] pin;
+
+    public TestWrongPINProvider(char[] pin, int numWrongTries) {
+      super();
+      this.pin = pin;
+      this.numWrongTries = numWrongTries;
+    }
+
+    @Override
+    public char[] providePIN(PINSpec spec, int retries)
+        throws CancelledException, InterruptedException {
+      if (provided >= numWrongTries) {
+        throw new CancelledException("Number of wrong tries reached: " + provided);
+      } else {
+        provided++;
+        return pin;
+      }
+    }
+
+    public int getProvided() {
+      return provided;
+    }
+  }
+
+  public class TestWrongChangePINProvider implements ChangePINProvider {
+
+    int provided = 0;
+    int numWrongTries = 0;
+
+    char[] pin;
+    char[] oldPin;
+
+    /** emulate ChangePinProvider */
+    public TestWrongChangePINProvider(char[] oldPin, char[] newPin, int numWrongTries) {
+      super();
+      this.pin = newPin;
+      this.oldPin = oldPin;
+      this.numWrongTries = numWrongTries;
+    }
+
+    @Override
+    public char[] providePIN(PINSpec spec, int retries)
+        throws CancelledException, InterruptedException {
+      return pin;
+    }
+
+    public int getProvided() {
+      return provided;
+    }
+
+    @Override
+    public char[] provideOldPIN(PINSpec spec, int retries)
+        throws CancelledException, InterruptedException {
+      if (provided >= numWrongTries) {
+        throw new CancelledException("Number of wrong tries reached: " + provided);
+      } else {
+        provided++;
+        return oldPin;
+      }
+    }
+  }
+
   public CardTest() {
     super();
   }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
index 0fb4f62d..bf56ef47 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
@@ -45,6 +45,7 @@ import at.gv.egiz.smcc.SignatureCardException;
 import at.gv.egiz.smcc.SignatureCardFactory;
 import at.gv.egiz.smcc.CardTest.TestChangePINProvider;
 import at.gv.egiz.smcc.CardTest.TestPINProvider;
+import at.gv.egiz.smcc.PINProvider;
 import at.gv.egiz.smcc.SignatureCard.KeyboxName;
 import at.gv.egiz.smcc.acos.A03ApplDEC;
 import at.gv.egiz.smcc.acos.A04ApplDEC;
@@ -52,6 +53,7 @@ import at.gv.egiz.smcc.acos.A04ApplSIG;
 import at.gv.egiz.smcc.acos.ACOSAppl;
 import at.gv.egiz.smcc.acos.ACOSApplDEC;
 import at.gv.egiz.smcc.acos.ACOSApplSIG;
+import org.junit.Ignore;
 
 public class STARCOSCardTest extends CardTest {
 
@@ -288,10 +290,63 @@ public class STARCOSCardTest extends CardTest {
         signatureCard.verifyPIN(pinSpec, new TestPINProvider(newPin));
         pin = newPin;
       }
-
     }
+  }
+
+  @Test
+  public void testVerifyWrongPin() throws CardNotSupportedException,
+      LockedException, NotActivatedException, CancelledException,
+      PINFormatException, SignatureCardException, InterruptedException {
+
+    char[] defaultPin = "123456".toCharArray();
+
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
+    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, defaultPin);
+    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
+    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, defaultPin);
+
+    for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
 
+      char[] wrongPin = "999999".toCharArray();
+      int numWrongTries = 2;
+      TestWrongPINProvider wrongPinProvider = new TestWrongPINProvider(wrongPin, numWrongTries);
+      try {
+        signatureCard.verifyPIN(pinSpec, wrongPinProvider);
+      } catch (CancelledException ex) {
+      } finally {
+        assertTrue(wrongPinProvider.getProvided() == numWrongTries);
+      }
+    }
   }
 
+  @Test
+  public void testChangeWrongPin() throws CardNotSupportedException,
+      LockedException, NotActivatedException, CancelledException,
+      PINFormatException, SignatureCardException, InterruptedException {
+    char[] defaultPin = "123456".toCharArray();
+
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
+    CardEmul card = (CardEmul) signatureCard.getCard();
+    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
+    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, defaultPin);
+    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
+    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, defaultPin);
+
+    for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
 
+      char[] wrongPin = "999999".toCharArray();
+      int numWrongTries = 2;
+      TestWrongChangePINProvider wrongPinProvider =
+              new TestWrongChangePINProvider(wrongPin, defaultPin, numWrongTries);
+
+      try {
+        signatureCard.changePIN(pinSpec, wrongPinProvider);
+      } catch (CancelledException ex) {
+      } finally {
+        assertTrue(wrongPinProvider.getProvided() == numWrongTries);
+      }
+    }
+  }
 }
-- 
cgit v1.2.3


From 497f6336cc96cd3b2b4cd760774ec4c2ed892df2 Mon Sep 17 00:00:00 2001
From: clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Thu, 13 Aug 2009 09:09:06 +0000
Subject: [#436] resolve "#PIN digits" message via message resource bundle

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@418 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java   |  6 ++--
 smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java    | 36 +++++++++++++++++-----
 .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java |  4 +--
 .../resources/at/gv/egiz/smcc/ACOSCard.properties  |  3 ++
 .../at/gv/egiz/smcc/STARCOSCard.properties         |  2 ++
 smcc/src/test/java/at/gv/egiz/smcc/CardTest.java   |  8 ++---
 .../at/gv/egiz/smcc/starcos/STARCOSCardTest.java   | 26 ++++++++--------
 7 files changed, 55 insertions(+), 30 deletions(-)

(limited to 'smcc/src/test/java')

diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
index 99aadebd..414d4678 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
@@ -104,13 +104,13 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   };
 
   private static final PINSpec DEC_PIN_SPEC = new PINSpec(0, 8, "[0-9]",
-      "at/gv/egiz/smcc/ACOSCard", "dec.pin.name", KID_PIN_DEC, AID_DEC);
+      "at/gv/egiz/smcc/ACOSCard", "dec.pin", KID_PIN_DEC, AID_DEC);
 
   private static final PINSpec SIG_PIN_SPEC = new PINSpec(0, 8, "[0-9]",
-      "at/gv/egiz/smcc/ACOSCard", "sig.pin.name", KID_PIN_SIG, AID_SIG);
+      "at/gv/egiz/smcc/ACOSCard", "sig.pin", KID_PIN_SIG, AID_SIG);
 
   private static final PINSpec INF_PIN_SPEC = new PINSpec(0, 8, "[0-9]",
-      "at/gv/egiz/smcc/ACOSCard", "inf.pin.name", KID_PIN_INF, AID_DEC);
+      "at/gv/egiz/smcc/ACOSCard", "inf.pin", KID_PIN_INF, AID_DEC);
   
   /**
    * The version of the card's digital signature application.
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java b/smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java
index b8ffafab..1812049c 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINSpec.java
@@ -33,7 +33,10 @@ public class PINSpec {
     
     String resourceBundleName_;
     
-    String name_;
+    String nameKey_;
+
+    /** the localized, i.e. configurable length */
+    String lengthKey_;
 
     byte kid_;
 
@@ -49,13 +52,14 @@ public class PINSpec {
      * @param kid the keyId for this pin
      */
     public PINSpec(int minLenght, int maxLength, String rexepPattern, 
-        String resourceBundleName, String name, byte kid, byte[] contextAID) {
+        String resourceBundleName, String resourceKey, byte kid, byte[] contextAID) {
         
         minLength_ = minLenght;
         maxLength_ = maxLength;
         rexepPattern_ = rexepPattern;
         resourceBundleName_ = resourceBundleName;
-        name_ = name;
+        nameKey_ = resourceKey + ".name";
+        lengthKey_ = resourceKey + ".length";
         kid_ = kid;
         context_aid_ = contextAID;
     }
@@ -66,7 +70,8 @@ public class PINSpec {
         minLength_ = minLenght;
         maxLength_ = maxLength;
         rexepPattern_ = rexepPattern;
-        name_ = name;
+        nameKey_ = name + ".name";
+        lengthKey_ = name + ".length";
         kid_ = kid;
         context_aid_ = contextAID;
     }
@@ -75,9 +80,9 @@ public class PINSpec {
       
       if (resourceBundleName_ != null) {
         ResourceBundle resourceBundle = ResourceBundle.getBundle(resourceBundleName_);
-        return resourceBundle.getString(name_);
+        return resourceBundle.getString(nameKey_);
       } else {
-        return name_;
+        return nameKey_;
       }
         
     }
@@ -86,13 +91,28 @@ public class PINSpec {
       
       if (resourceBundleName_ != null) {
         ResourceBundle resourceBundle = ResourceBundle.getBundle(resourceBundleName_, locale);
-        return resourceBundle.getString(name_);
+        return resourceBundle.getString(nameKey_);
       } else {
-        return name_;
+        return nameKey_;
       }
       
     }
 
+    public String getLocalizedLength() {
+
+      if (resourceBundleName_ != null) {
+        ResourceBundle resourceBundle = ResourceBundle.getBundle(resourceBundleName_);
+        return resourceBundle.getString(lengthKey_);
+      } else {
+        if (maxLength_ > minLength_) {
+          return minLength_ + "-" + maxLength_;
+        } else {
+          return String.valueOf(minLength_);
+        }
+      }
+
+    }
+
     public int getMaxLength() {
         return maxLength_;
     }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index 921819ee..2e6dd5d6 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -150,11 +150,11 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
 
   private static final PINSpec CARD_PIN_SPEC =
     new PINSpec(4, 12, "[0-9]", 
-        "at/gv/egiz/smcc/STARCOSCard", "card.pin.name", KID_PIN_CARD, null);
+        "at/gv/egiz/smcc/STARCOSCard", "card.pin", KID_PIN_CARD, null);
   
   private static final PINSpec SS_PIN_SPEC =
     new PINSpec(6, 12, "[0-9]", 
-        "at/gv/egiz/smcc/STARCOSCard", "sig.pin.name", KID_PIN_SS, AID_DF_SS);
+        "at/gv/egiz/smcc/STARCOSCard", "sig.pin", KID_PIN_SS, AID_DF_SS);
 
   /**
    * Creates an new instance.
diff --git a/smcc/src/main/resources/at/gv/egiz/smcc/ACOSCard.properties b/smcc/src/main/resources/at/gv/egiz/smcc/ACOSCard.properties
index d2bbe4f9..2e032d1b 100644
--- a/smcc/src/main/resources/at/gv/egiz/smcc/ACOSCard.properties
+++ b/smcc/src/main/resources/at/gv/egiz/smcc/ACOSCard.properties
@@ -17,5 +17,8 @@
 # and open the template in the editor.
 
 dec.pin.name=Geheimhaltungs-PIN
+dec.pin.length=4
 sig.pin.name=Signatur-PIN
+sig.pin.length=6
 inf.pin.name=Infobox-PIN
+inf.pin.length=4
diff --git a/smcc/src/main/resources/at/gv/egiz/smcc/STARCOSCard.properties b/smcc/src/main/resources/at/gv/egiz/smcc/STARCOSCard.properties
index 6fa5f0fa..ae91f265 100644
--- a/smcc/src/main/resources/at/gv/egiz/smcc/STARCOSCard.properties
+++ b/smcc/src/main/resources/at/gv/egiz/smcc/STARCOSCard.properties
@@ -17,4 +17,6 @@
 # and open the template in the editor.
 
 sig.pin.name=Signatur-PIN
+sig.pin.length=6
 card.pin.name=Karten-PIN
+card.pin.length=4
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
index f72820e1..2a55357d 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
@@ -76,14 +76,14 @@ public abstract class CardTest {
   
   }
 
-  public class TestWrongPINProvider implements PINProvider {
+  public class TestInvalidPINProvider implements PINProvider {
 
     int provided = 0;
     int numWrongTries = 0;
 
     char[] pin;
 
-    public TestWrongPINProvider(char[] pin, int numWrongTries) {
+    public TestInvalidPINProvider(char[] pin, int numWrongTries) {
       super();
       this.pin = pin;
       this.numWrongTries = numWrongTries;
@@ -105,7 +105,7 @@ public abstract class CardTest {
     }
   }
 
-  public class TestWrongChangePINProvider implements ChangePINProvider {
+  public class TestInvalidChangePINProvider implements ChangePINProvider {
 
     int provided = 0;
     int numWrongTries = 0;
@@ -114,7 +114,7 @@ public abstract class CardTest {
     char[] oldPin;
 
     /** emulate ChangePinProvider */
-    public TestWrongChangePINProvider(char[] oldPin, char[] newPin, int numWrongTries) {
+    public TestInvalidChangePINProvider(char[] oldPin, char[] newPin, int numWrongTries) {
       super();
       this.pin = newPin;
       this.oldPin = oldPin;
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
index bf56ef47..89e2ca65 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
@@ -294,7 +294,7 @@ public class STARCOSCardTest extends CardTest {
   }
 
   @Test
-  public void testVerifyWrongPin() throws CardNotSupportedException,
+  public void testVerifyInvalidPin() throws CardNotSupportedException,
       LockedException, NotActivatedException, CancelledException,
       PINFormatException, SignatureCardException, InterruptedException {
 
@@ -309,20 +309,20 @@ public class STARCOSCardTest extends CardTest {
 
     for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
 
-      char[] wrongPin = "999999".toCharArray();
-      int numWrongTries = 2;
-      TestWrongPINProvider wrongPinProvider = new TestWrongPINProvider(wrongPin, numWrongTries);
+      char[] invalidPin = "999999".toCharArray();
+      int numInvalidTries = 2;
+      TestInvalidPINProvider invalidPinProvider = new TestInvalidPINProvider(invalidPin, numInvalidTries);
       try {
-        signatureCard.verifyPIN(pinSpec, wrongPinProvider);
+        signatureCard.verifyPIN(pinSpec, invalidPinProvider);
       } catch (CancelledException ex) {
       } finally {
-        assertTrue(wrongPinProvider.getProvided() == numWrongTries);
+        assertTrue(invalidPinProvider.getProvided() == numInvalidTries);
       }
     }
   }
 
   @Test
-  public void testChangeWrongPin() throws CardNotSupportedException,
+  public void testChangeInvalidPin() throws CardNotSupportedException,
       LockedException, NotActivatedException, CancelledException,
       PINFormatException, SignatureCardException, InterruptedException {
     char[] defaultPin = "123456".toCharArray();
@@ -336,16 +336,16 @@ public class STARCOSCardTest extends CardTest {
 
     for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
 
-      char[] wrongPin = "999999".toCharArray();
-      int numWrongTries = 2;
-      TestWrongChangePINProvider wrongPinProvider =
-              new TestWrongChangePINProvider(wrongPin, defaultPin, numWrongTries);
+      char[] invalidPin = "999999".toCharArray();
+      int numInvalidTries = 2;
+      TestInvalidChangePINProvider invalidPinProvider =
+              new TestInvalidChangePINProvider(invalidPin, defaultPin, numInvalidTries);
 
       try {
-        signatureCard.changePIN(pinSpec, wrongPinProvider);
+        signatureCard.changePIN(pinSpec, invalidPinProvider);
       } catch (CancelledException ex) {
       } finally {
-        assertTrue(wrongPinProvider.getProvided() == numWrongTries);
+        assertTrue(invalidPinProvider.getProvided() == numInvalidTries);
       }
     }
   }
-- 
cgit v1.2.3


From 68941b57df2caeead67a5bede2ef5a635d07db32 Mon Sep 17 00:00:00 2001
From: mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Wed, 11 Nov 2009 15:51:08 +0000
Subject: Added support for SHA-256 and partial support for e-card G3, BELPIC
 and Italian cards.

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@540 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../at/gv/egiz/stal/util/JCEAlgorithmNames.java    |  51 ----
 .../java/at/gv/egiz/bku/conf/Configurator.java     |  71 +++--
 .../at/gv/egiz/bku/slcommands/impl/STALHelper.java |  26 +-
 .../impl/xsect/AlgorithmMethodFactoryImpl.java     |  86 ++++--
 .../bku/slcommands/impl/xsect/STALProvider.java    |   6 +-
 .../egiz/bku/slcommands/impl/xsect/Signature.java  |  23 +-
 .../slexceptions/SLExceptionMessages.properties    |   2 +-
 .../slexceptions/SLExceptionMessages_en.properties |   2 +-
 smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java   |  55 +++-
 smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java | 283 ++++++++++++++++++++
 smcc/src/main/java/at/gv/egiz/smcc/ITCard.java     | 297 +++++++++++++++++++++
 .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java | 192 +++++++++----
 smcc/src/main/java/at/gv/egiz/smcc/SWCard.java     |   8 +-
 .../main/java/at/gv/egiz/smcc/SignatureCard.java   |  11 +-
 .../java/at/gv/egiz/smcc/SignatureCardFactory.java |  96 +++++--
 .../java/at/gv/egiz/smcc/util/ISO7816Utils.java    |  11 +-
 .../at/gv/egiz/smcc/BELPICCard.properties          |   3 +
 .../resources/at/gv/egiz/smcc/ITCard.properties    |   3 +
 smcc/src/test/java/at/gv/egiz/smcc/CardTest.java   |  62 ++---
 .../java/at/gv/egiz/smcc/acos/ACOSCardTest.java    |  62 ++---
 .../at/gv/egiz/smcc/starcos/STARCOSCardTest.java   |  62 ++---
 .../gv/egiz/bku/smccstal/SignRequestHandler.java   |  21 +-
 .../java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java |   5 +-
 .../gv/egiz/xades/QualifyingPropertiesFactory.java |  15 +-
 24 files changed, 1145 insertions(+), 308 deletions(-)
 delete mode 100644 STAL/src/main/java/at/gv/egiz/stal/util/JCEAlgorithmNames.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ITCard.java
 create mode 100644 smcc/src/main/resources/at/gv/egiz/smcc/BELPICCard.properties
 create mode 100644 smcc/src/main/resources/at/gv/egiz/smcc/ITCard.properties

(limited to 'smcc/src/test/java')

diff --git a/STAL/src/main/java/at/gv/egiz/stal/util/JCEAlgorithmNames.java b/STAL/src/main/java/at/gv/egiz/stal/util/JCEAlgorithmNames.java
deleted file mode 100644
index c162eed4..00000000
--- a/STAL/src/main/java/at/gv/egiz/stal/util/JCEAlgorithmNames.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.stal.util;
-
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Maps XML Algorithms to JCE Hash names.
- * 
- */
-public class JCEAlgorithmNames {
-
-  private Map<String, String> hashNameMap = new HashMap<String, String>();
-
-  public static String[] JCE_HASH_NAMES = { "SHA-1" };
-  
-  public static String[] SHA_1_ALGORITMS = {
-      "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1",
-      "http://www.w3.org/2000/09/xmldsig#rsa-sha1" };
-
-  private static JCEAlgorithmNames instance = new JCEAlgorithmNames();
-
-  private JCEAlgorithmNames() {
-    for (String alg : SHA_1_ALGORITMS) {
-      registerHash(alg, JCE_HASH_NAMES[0]);
-    }
-  }
-
-  public static String getJCEHashName(String xmlAlgorithmURI) {
-     return instance.hashNameMap.get(xmlAlgorithmURI);
-  }
-
-  public void registerHash(String xmlAlgorithmURI, String jceName) {
-    hashNameMap.put(xmlAlgorithmURI, jceName);
-  }
-}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java b/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java
index 41c2512f..50f5d2b4 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/conf/Configurator.java
@@ -166,31 +166,62 @@ public abstract class Configurator {
 
   protected void configureProviders() {
     log.debug("Registering security providers");
-    Security.insertProviderAt(new IAIK(), 1);
-    Security.insertProviderAt(new ECCProvider(false), 2);
+    
+    IAIK iaikProvider = new IAIK();
+    if (Security.getProvider(iaikProvider.getName()) == null) {
+      // register IAIK provider at first position
+      Security.insertProviderAt(iaikProvider, 1);
+    } else {
+      // IAIK provider already registered
+      log.info("Provider " + iaikProvider.getName() + " already registered.");
+    }
+
+    ECCProvider eccProvider = new ECCProvider(false);
+    if (Security.getProvider(eccProvider.getName()) == null) {
+      // register ECC Provider at second position
+      Security.insertProviderAt(eccProvider, 2);
+    } else {
+      // ECC Provider already registered
+      log.info("Provider " + eccProvider.getName() + " already registered."); 
+    }
 
     // registering STALProvider as delegation provider for XSECT
     STALProvider stalProvider = new STALProvider();
-    Set<Service> services = stalProvider.getServices();
-    StringBuilder sb = new StringBuilder();
-    for (Service service : services) {
-      String algorithm = service.getType() + "." + service.getAlgorithm();
-      XSecProvider.setDelegationProvider(algorithm, stalProvider.getName());
-      sb.append("\n" + algorithm);
+    if (Security.getProvider(stalProvider.getName()) == null) {
+      // register STAL provider
+      Set<Service> services = stalProvider.getServices();
+      StringBuilder sb = new StringBuilder();
+      for (Service service : services) {
+        String algorithm = service.getType() + "." + service.getAlgorithm();
+        XSecProvider.setDelegationProvider(algorithm, stalProvider.getName());
+        sb.append("\n" + algorithm);
+      }
+      log
+          .debug("Registered STALProvider as XSecProvider delegation provider for the following services : "
+              + sb.toString());
+
+      Security.addProvider(stalProvider);
+    } else {
+      // STAL Provider already registered
+      log.info("Provider " + stalProvider.getName() + " already registered."); 
     }
-    log
-        .debug("Registered STALProvider as XSecProvider delegation provider for the following services : "
-            + sb.toString());
-
-    Security.addProvider(stalProvider);
-    XSecProvider.addAsProvider(false);
-    sb = new StringBuilder();
-    sb.append("Registered providers: ");
-    int i = 1;
-    for (Provider prov : Security.getProviders()) {
-      sb.append((i++) + ". : " + prov);
+    
+    if (Security.getProvider(XSecProvider.NAME) == null) {
+      // register XML Security provider
+      XSecProvider.addAsProvider(false);
+    } else {
+      log.info("Provider " + XSecProvider.NAME + " already registered.");
+    }
+    
+    if (log.isDebugEnabled()) {
+      StringBuilder sb = new StringBuilder();
+      sb.append("Registered providers: ");
+      int i = 1;
+      for (Provider prov : Security.getProviders()) {
+        sb.append((i++) + ". : " + prov);
+      }
+      log.debug(sb.toString());
     }
-    log.debug(sb.toString());
   }
 
   protected void configViewer() {
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/STALHelper.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/STALHelper.java
index 0c7ce3f5..e903c608 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/STALHelper.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/STALHelper.java
@@ -18,8 +18,15 @@ package at.gv.egiz.bku.slcommands.impl;
 
 import iaik.asn1.CodingException;
 import iaik.asn1.DerCoder;
+import iaik.utils.Base64OutputStream;
 
 import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.io.StringWriter;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -174,7 +181,24 @@ public class STALHelper {
       try {
         certificates.add((X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(cert)));
       } catch (CertificateException e) {
-        log.info("Failed to decode certificate.", e);
+        if (log.isDebugEnabled()) {
+          ByteArrayOutputStream certDump = new ByteArrayOutputStream();
+          OutputStreamWriter writer = new OutputStreamWriter(certDump);
+          try {
+            writer.write("-----BEGIN CERTIFICATE-----\n");
+            writer.flush();
+            Base64OutputStream b64os = new Base64OutputStream(certDump);
+            b64os.write(cert);
+            b64os.flush();
+            writer.write("\n-----END CERTIFICATE-----");
+            writer.flush();
+          } catch (IOException e1) {
+            log.info("Failed to decode certificate.", e);
+          }
+          log.debug("Failed to decode certificate.\n" + certDump.toString(), e);
+        } else {
+          log.info("Failed to decode certificate.", e);
+        }
         throw new SLCommandException(4000,
             SLExceptionMessages.EC4000_UNCLASSIFIED_INFOBOX_INVALID,
             new Object[] { "Certificates" });
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java
index 6b963465..061fe707 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java
@@ -16,18 +16,23 @@
 */
 package at.gv.egiz.bku.slcommands.impl.xsect;
 
-import iaik.xml.crypto.XmldsigMore;
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.X509Certificate;
-
-import javax.xml.crypto.dsig.CanonicalizationMethod;
-import javax.xml.crypto.dsig.DigestMethod;
-import javax.xml.crypto.dsig.SignatureMethod;
-import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
-import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
-import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
+import iaik.security.ecc.interfaces.ECDSAParams;
+import iaik.xml.crypto.XmldsigMore;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.ECParameterSpec;
+
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
 
 /**
  * An implementation of the AlgorithmMethod factory that uses the signing
@@ -40,7 +45,12 @@ public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory {
   /**
    * The signature algorithm URI.
    */
-  private String signatureAlgorithmURI;
+  private String signatureAlgorithmURI;
+  
+  /**
+   * the digest algorithm URI.
+   */
+  private String digestAlgorithmURI = DigestMethod.SHA1;
 
   /**
    * The algorithm parameters for the signature algorithm.
@@ -51,23 +61,55 @@ public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory {
    * Creates a new AlgrithmMethodFactory with the given
    * <code>signingCertificate</code>.
    * 
-   * @param siginingCertificate
+   * @param signingCertificate
    * 
    * @throws NoSuchAlgorithmException
    *           if the public key algorithm of the given
    *           <code>signingCertificate</code> is not supported
    */
-  public AlgorithmMethodFactoryImpl(X509Certificate siginingCertificate)
+  public AlgorithmMethodFactoryImpl(X509Certificate signingCertificate)
       throws NoSuchAlgorithmException {
-
-    String algorithm = siginingCertificate.getPublicKey().getAlgorithm();
+
+    PublicKey publicKey = signingCertificate.getPublicKey();
+    String algorithm = publicKey.getAlgorithm();
 
     if ("DSA".equals(algorithm)) {
       signatureAlgorithmURI = SignatureMethod.DSA_SHA1;
-    } else if ("RSA".equals(algorithm)) {
-      signatureAlgorithmURI = SignatureMethod.RSA_SHA1;
-    } else if (("EC".equals(algorithm)) || ("ECDSA".equals(algorithm))) {
-      signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA1;
+    } else if ("RSA".equals(algorithm)) {
+      
+      int keyLength = 0;
+      if (publicKey instanceof RSAPublicKey) {
+        keyLength = ((RSAPublicKey) publicKey).getModulus().bitLength();
+      }
+      
+      if (keyLength >= 2048) {
+        signatureAlgorithmURI = XmldsigMore.SIGNATURE_RSA_SHA256;
+        digestAlgorithmURI = DigestMethod.SHA256;
+      } else {
+        signatureAlgorithmURI = SignatureMethod.RSA_SHA1;
+      }
+      
+    } else if (("EC".equals(algorithm)) || ("ECDSA".equals(algorithm))) {
+      
+      int fieldSize = 0;
+      if (publicKey instanceof iaik.security.ecc.ecdsa.ECPublicKey) {
+        ECDSAParams params = ((iaik.security.ecc.ecdsa.ECPublicKey) publicKey).getParameter();
+        fieldSize = params.getG().getCurve().getField().getSize().bitLength();
+      } else if (publicKey instanceof ECPublicKey) {
+        ECParameterSpec params = ((ECPublicKey) publicKey).getParams();
+        fieldSize = params.getCurve().getField().getFieldSize();
+      }
+      
+      if (fieldSize < 256) {
+        signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA1;
+      } else if (fieldSize < 512) {
+        signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA256;
+        digestAlgorithmURI = DigestMethod.SHA256;
+      } else {
+        signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA512;
+        digestAlgorithmURI = DigestMethod.SHA512;
+      }
+      
     } else {
       throw new NoSuchAlgorithmException("Public key algorithm '" + algorithm
           + "' not supported.");
@@ -104,7 +146,7 @@ public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory {
       throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
 
     return signatureContext.getSignatureFactory().newDigestMethod(
-        DigestMethod.SHA1, (DigestMethodParameterSpec) null);
+        digestAlgorithmURI, (DigestMethodParameterSpec) null);
   }
 
   /*
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java
index 0ab30530..42c6a4c5 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java
@@ -49,7 +49,11 @@ public class STALProvider extends Provider {
     map.put("Signature." + SignatureMethod.RSA_SHA1,
         IMPL_PACKAGE_NAME + ".STALSignature");
     map.put("Signature." + XmldsigMore.SIGNATURE_ECDSA_SHA1, 
-        IMPL_PACKAGE_NAME + ".STALSignature");
+        IMPL_PACKAGE_NAME + ".STALSignature");
+    map.put("Signature." + XmldsigMore.SIGNATURE_RSA_SHA256, 
+        IMPL_PACKAGE_NAME + ".STALSignature");
+    map.put("Signature." + XmldsigMore.SIGNATURE_ECDSA_SHA256, 
+        IMPL_PACKAGE_NAME + ".STALSignature");
 
     AccessController.doPrivileged(new PrivilegedAction<Void>() {
       @Override
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java
index 26ddb153..3cebb6a3 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java
@@ -628,9 +628,20 @@ public class Signature {
     
     String target = "#" + signatureId;
     
+    DigestMethod dm;
+    try {
+      dm = ctx.getAlgorithmMethodFactory().createDigestMethod(ctx);
+    } catch (NoSuchAlgorithmException e) {
+      log.error("Failed to get DigestMethod algorithm.", e);
+      throw new SLCommandException(4006);
+    } catch (InvalidAlgorithmParameterException e) {
+      log.error("Failed to get DigestMethod algorithm.", e);
+      throw new SLCommandException(4006);
+    }
+    
     JAXBElement<QualifyingPropertiesType> qualifyingProperties;
     try {
-      qualifyingProperties = factory.createQualifyingProperties111(target, date, signingCertificates, idValue, dataObjectFormats);
+      qualifyingProperties = factory.createQualifyingProperties111(target, date, signingCertificates, idValue, dataObjectFormats, dm);
     } catch (QualifyingPropertiesException e) {
       log.error("Failed to create QualifyingProperties.", e);
       throw new SLCommandException(4000);
@@ -665,7 +676,10 @@ public class Signature {
     String referenceURI = "#xmlns(xades=http://uri.etsi.org/01903/v1.1.1%23)%20xpointer(id('"
         + objectIdValue
         + "')/child::xades:QualifyingProperties/child::xades:SignedProperties)";
-    DigestMethod dm;
+    
+    String referenceIdValue = ctx.getIdValueFactory().createIdValue("Reference");
+    String referenceType = QualifyingPropertiesFactory.SIGNED_PROPERTIES_REFERENCE_TYPE_V1_1_1;
+    
     try {
       dm = ctx.getAlgorithmMethodFactory().createDigestMethod(ctx);
     } catch (NoSuchAlgorithmException e) {
@@ -675,10 +689,7 @@ public class Signature {
       log.error("Failed to get DigestMethod algorithm.", e);
       throw new SLCommandException(4006);
     }
-    
-    String referenceIdValue = ctx.getIdValueFactory().createIdValue("Reference");
-    String referenceType = QualifyingPropertiesFactory.SIGNED_PROPERTIES_REFERENCE_TYPE_V1_1_1;
-    
+
     Reference reference = ctx.getSignatureFactory().newReference(referenceURI, dm, null, referenceType, referenceIdValue);
     
     references.add(reference);
diff --git a/bkucommon/src/main/resources/at/gv/egiz/bku/slexceptions/SLExceptionMessages.properties b/bkucommon/src/main/resources/at/gv/egiz/bku/slexceptions/SLExceptionMessages.properties
index db56184e..c5bfce18 100644
--- a/bkucommon/src/main/resources/at/gv/egiz/bku/slexceptions/SLExceptionMessages.properties
+++ b/bkucommon/src/main/resources/at/gv/egiz/bku/slexceptions/SLExceptionMessages.properties
@@ -91,7 +91,7 @@ ec3002.invalid=XML-Struktur der Befehlsanfrage entspricht nicht dem Schema des S
 # 4xxx
 #
 
-ec4000.infobox.invalid=Die Infobox '{0}' enthält ungültige Daten.
+ec4000.infobox.invalid=Die Infobox {0} enthält ungültige Daten.
 ec4000.idlink.transfomation.failed=Die komprimierte Personenbindung konnte mit dem Stylesheet {0} nicht transformiert werden.
 ec4002.infobox.unknown=Unbekannter Infoboxbezeichner {0}.
 ec4003.not.resolved=Zu signierendes Datum kann nicht aufgelöst werden (URI={0}).
diff --git a/bkucommon/src/main/resources/at/gv/egiz/bku/slexceptions/SLExceptionMessages_en.properties b/bkucommon/src/main/resources/at/gv/egiz/bku/slexceptions/SLExceptionMessages_en.properties
index 6c67ba87..a8bffdc6 100644
--- a/bkucommon/src/main/resources/at/gv/egiz/bku/slexceptions/SLExceptionMessages_en.properties
+++ b/bkucommon/src/main/resources/at/gv/egiz/bku/slexceptions/SLExceptionMessages_en.properties
@@ -91,7 +91,7 @@ ec3002.invalid=XML structure of the command request does not comply with the Sec
 # 4xxx
 #
 
-ec4000.infobox.invalid=The infobox '{0}' contains invalid content.
+ec4000.infobox.invalid=The infobox {0} contains invalid content.
 ec4000.idlink.transfomation.failed=Failed to transform CompressedIdentityLink with Stylesheet {0}.
 ec4002.infobox.unknown=Unknown info box identifier {0}.
 ec4003.not.resolved=Data to be signed cannot be resolved from URI={0}.
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
index 414d4678..a63d4076 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
@@ -16,9 +16,13 @@
 */
 package at.gv.egiz.smcc;
 
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.AlgorithmParameters;
 import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.List;
 
@@ -375,12 +379,46 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   
   @Override
   @Exclusive
-  public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-      PINProvider provider) throws SignatureCardException, InterruptedException {
+  public byte[] createSignature(InputStream input, KeyboxName keyboxName,
+      PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException {
   
-    if (hash.length != 20) {
-      throw new IllegalArgumentException("Hash value must be of length 20.");
+    ByteArrayOutputStream dst = new ByteArrayOutputStream();
+    // key ID
+    dst.write(new byte[]{(byte) 0x84, (byte) 0x01, (byte) 0x88});
+    // algorithm ID
+    dst.write(new byte[]{(byte) 0x80, (byte) 0x01});
+    
+    MessageDigest md;
+    try {
+      if ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(alg)) {
+        dst.write((byte) 0x14); // SHA-1/ECC
+        md = MessageDigest.getInstance("SHA-1");
+      } else if ("http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(alg)) {
+        dst.write((byte) 0x12); // SHA-1 with padding according to PKCS#1 block type 01
+        md = MessageDigest.getInstance("SHA-1");
+      } else if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)
+          && appVersion >= 2
+          && "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256".equals(alg)) {
+        dst.write((byte) 0x44); // SHA-256/ECC
+        md = MessageDigest.getInstance("SHA256");
+      } else if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)
+          && appVersion >= 2
+          && "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".equals(alg)) {
+        dst.write((byte) 0x41); // SHA-256 with padding according to PKCS#1
+        md = MessageDigest.getInstance("SHA256");
+      } else {
+        throw new SignatureCardException("Card does not support signature algorithm " + alg + ".");
+      }
+    } catch (NoSuchAlgorithmException e) {
+      log.error("Failed to get MessageDigest.", e);
+      throw new SignatureCardException(e);
     }
+    
+    byte[] digest = new byte[md.getDigestLength()];
+    for (int l; (l = input.read(digest)) != -1;) {
+      md.update(digest, 0, l);
+    }
+    digest = md.digest();
   
     try {
       
@@ -393,11 +431,11 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
         // SELECT application
         execSELECT_AID(channel, AID_SIG);
         // MANAGE SECURITY ENVIRONMENT : SET DST
-        execMSE(channel, 0x41, 0xb6, DST_SIG);
+        execMSE(channel, 0x41, 0xb6, dst.toByteArray());
         // VERIFY
         verifyPINLoop(channel, spec, provider);
         // PERFORM SECURITY OPERATION : HASH
-        execPSO_HASH(channel, hash);
+        execPSO_HASH(channel, digest);
         // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATRE
         return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel);
     
@@ -413,7 +451,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
         while (true) {
           try {
             // INTERNAL AUTHENTICATE
-            return execINTERNAL_AUTHENTICATE(channel, hash);
+            return execINTERNAL_AUTHENTICATE(channel, digest);
           } catch (SecurityStatusNotSatisfiedException e) {
             verifyPINLoop(channel, spec, provider);
           }
@@ -711,6 +749,9 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
 
     ResponseAPDU resp = channel.transmit(
         new CommandAPDU(0x00, 0x2A, 0x9E, 0x9A, 256));
+    if (resp.getSW() == 0x6982) {
+      throw new SecurityStatusNotSatisfiedException();
+    }
     if (resp.getSW() != 0x9000) {
       throw new SignatureCardException(
           "PSO - COMPUTE DIGITAL SIGNATRE failed: SW="
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java b/smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java
new file mode 100644
index 00000000..15b47fb0
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java
@@ -0,0 +1,283 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+
+package at.gv.egiz.smcc;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import at.gv.egiz.smcc.util.ISO7816Utils;
+import at.gv.egiz.smcc.util.SMCCHelper;
+
+public class BELPICCard extends AbstractSignatureCard implements SignatureCard {
+  
+    /**
+     * Logging facility.
+     */
+    private static Log log = LogFactory.getLog(BELPICCard.class);
+
+    public static final byte[] MF = new byte[] { (byte) 0x3F, (byte) 0x00 };
+
+    public static final byte[] DF_BELPIC = new byte[] { (byte) 0xDF,
+            (byte) 0x00 };
+
+    public static final byte[] DF_ID = new byte[] { (byte) 0xDF, (byte) 0x01 };
+
+    public static final byte[] SIGN_CERT = new byte[] { (byte) 0x50,
+            (byte) 0x39 };
+
+//    public static final byte MSE_SET_ALGO_REF = (byte) 0x02;
+
+//    public static final byte MSE_SET_PRIV_KEY_REF = (byte) 0x83;
+
+    public static final int SIGNATURE_LENGTH = (int) 0x80;
+
+    public static final byte KID = (byte) 0x01;
+
+    public static final int READ_BUFFER_LENGTH = 256;
+
+    public static final int PINSPEC_SS = 0;
+    
+  private static final PINSpec SS_PIN_SPEC = 
+    new PINSpec(4, 12, "[0-9]",
+      "at/gv/egiz/smcc/BelpicCard", "sig.pin", KID, DF_BELPIC);
+    
+  /**
+   * Creates a new instance.
+   */
+  public BELPICCard() {
+    super("at/gv/egiz/smcc/BelpicCard");
+    pinSpecs.add(SS_PIN_SPEC);
+  }
+
+  @Override
+  @Exclusive
+  public byte[] getCertificate(KeyboxName keyboxName)
+      throws SignatureCardException {
+
+    if (keyboxName != KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
+      throw new IllegalArgumentException("Keybox " + keyboxName
+          + " not supported");
+    }
+
+    try {
+      CardChannel channel = getCardChannel();
+      // SELECT MF
+      execSELECT_FID(channel, MF);
+      // SELECT application
+      execSELECT_FID(channel, DF_BELPIC);
+      // SELECT file
+      execSELECT_FID(channel, SIGN_CERT);
+      // READ BINARY
+      byte[] certificate = ISO7816Utils.readTransparentFileTLV(channel, -1, (byte) 0x30);
+      if (certificate == null) {
+        throw new NotActivatedException();
+      }
+      return certificate;
+    } catch (FileNotFoundException e) {
+      throw new NotActivatedException();
+    } catch (CardException e) {
+      log.info("Failed to get certificate.", e);
+      throw new SignatureCardException(e);
+    }
+
+  }
+
+  @Override
+  @Exclusive
+  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+      throws SignatureCardException, InterruptedException {
+      
+    throw new IllegalArgumentException("Infobox '" + infobox
+        + "' not supported.");
+  }
+
+  @Override
+  @Exclusive
+  public byte[] createSignature(InputStream input, KeyboxName keyboxName,
+      PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException {
+    
+    if (KeyboxName.SECURE_SIGNATURE_KEYPAIR != keyboxName) {
+      throw new SignatureCardException("Card does not support key " + keyboxName + ".");
+    }
+    if (!"http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(alg)) {
+      throw new SignatureCardException("Card does not support algorithm " + alg + ".");
+    }
+    
+    byte[] dst = new byte[] { (byte) 0x04, // number of following
+        // bytes
+        (byte) 0x80, // tag for algorithm reference
+        (byte) 0x02, // algorithm reference
+        (byte) 0x84, // tag for private key reference
+        (byte) 0x83 // private key reference
+    };
+    
+    MessageDigest md;
+    try {
+      md = MessageDigest.getInstance("SHA-1");
+    } catch (NoSuchAlgorithmException e) {
+      log.error("Failed to get MessageDigest.", e);
+      throw new SignatureCardException(e);
+    }
+    // calculate message digest
+    byte[] digest = new byte[md.getDigestLength()];
+    for (int l; (l = input.read(digest)) != -1;) {
+      md.update(digest, 0, l);
+    }
+    digest = md.digest();
+
+    try {
+      
+      CardChannel channel = getCardChannel();
+
+      // SELECT MF
+      execSELECT_FID(channel, MF);
+      // VERIFY
+      execMSE(channel, 0x41, 0xb6, dst);
+      // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
+      verifyPINLoop(channel, SS_PIN_SPEC, provider);
+      // MANAGE SECURITY ENVIRONMENT : SET DST
+      return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, digest);
+
+    } catch (CardException e) {
+      log.warn(e);
+      throw new SignatureCardException("Failed to access card.", e);
+    }
+
+  }
+
+  public String toString() {
+    return "Belpic Card";
+  }
+  
+  protected void verifyPINLoop(CardChannel channel, PINSpec spec,
+      PINProvider provider) throws LockedException, NotActivatedException,
+      SignatureCardException, InterruptedException, CardException {
+    
+    int retries = -1; //verifyPIN(channel, spec, null, -1);
+    do {
+      retries = verifyPIN(channel, spec, provider, retries);
+    } while (retries > 0);
+  }
+
+  protected int verifyPIN(CardChannel channel, PINSpec pinSpec,
+      PINProvider provider, int retries) throws SignatureCardException,
+      LockedException, NotActivatedException, InterruptedException,
+      CardException {
+    
+    VerifyAPDUSpec apduSpec = new VerifyAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x20, (byte) 0x00, pinSpec.getKID(), (byte) 0x08,
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
+        1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4);
+    
+    ResponseAPDU resp = reader.verify(channel, apduSpec, pinSpec, provider, retries);
+    
+    if (resp.getSW() == 0x9000) {
+      return -1;
+    }
+    if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    }
+    
+    switch (resp.getSW()) {
+    case 0x6983:
+      // authentication method blocked
+      throw new LockedException();
+    case 0x6984:
+      // reference data not usable
+      throw new NotActivatedException();
+    case 0x6985:
+      // conditions of use not satisfied
+      throw new NotActivatedException();
+  
+    default:
+      String msg = "VERIFY failed. SW=" + Integer.toHexString(resp.getSW()); 
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    }
+    
+  }
+  
+  protected byte[] execSELECT_FID(CardChannel channel, byte[] fid)
+      throws SignatureCardException, CardException {
+    
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0xA4, 0x02, 0x0C, fid, 256));
+    
+    if (resp.getSW() == 0x6A82) {
+      String msg = "File or application not found FID="
+          + SMCCHelper.toString(fid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.info(msg);
+      throw new FileNotFoundException(msg);
+    } else if (resp.getSW() != 0x9000) {
+      String msg = "Failed to select application FID="
+          + SMCCHelper.toString(fid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.error(msg);
+      throw new SignatureCardException(msg);
+    } else {
+      return resp.getBytes();
+    }
+    
+  }
+  
+  protected void execMSE(CardChannel channel, int p1, int p2, byte[] data)
+      throws CardException, SignatureCardException {
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0x22, p1, p2, data, 256));
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("MSE:SET failed: SW="
+          + Integer.toHexString(resp.getSW()));
+    }
+  }
+
+  protected byte[] execPSO_COMPUTE_DIGITAL_SIGNATURE(CardChannel channel, byte[] hash)
+      throws CardException, SignatureCardException {
+    ResponseAPDU resp;
+    resp = channel.transmit(
+        new CommandAPDU(0x00, 0x2A, 0x9E, 0x9A, hash, 256));
+    if (resp.getSW() == 0x6982) {
+      throw new SecurityStatusNotSatisfiedException();
+    } else if (resp.getSW() == 0x6983) {
+      throw new LockedException();
+    } else if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException(
+          "PSO: COMPUTE DIGITAL SIGNATRE failed: SW="
+              + Integer.toHexString(resp.getSW()));
+    } else {
+      return resp.getData();
+    }
+  }
+
+
+
+    
+}
\ No newline at end of file
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ITCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ITCard.java
new file mode 100644
index 00000000..831a1f9b
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ITCard.java
@@ -0,0 +1,297 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+package at.gv.egiz.smcc;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CommandAPDU;
+import javax.smartcardio.ResponseAPDU;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import at.gv.egiz.smcc.util.ISO7816Utils;
+import at.gv.egiz.smcc.util.SMCCHelper;
+
+public class ITCard extends AbstractSignatureCard {
+  
+  /**
+   * Logging facility.
+   */
+  private static Log log = LogFactory.getLog(STARCOSCard.class);
+  
+  public static final byte[] MF = new byte[] { (byte) 0x3F, (byte) 0x00 };
+  
+  public static final byte[] DF1 = new byte[] { (byte) 0x11, (byte) 0x00 };
+  
+  public static final byte[] EF_C_Carta = new byte[] { (byte) 0x11, (byte) 0x01 };
+  
+  private static final PINSpec SS_PIN_SPEC = 
+    new PINSpec(5, 8, "[0-9]", 
+        "at/gv/egiz/smcc/ITCard", "sig.pin", (byte) 0x10, 
+        new byte[] { (byte) 0x11, (byte) 0x00 });
+
+  /**
+   * Creates a new instance.
+   */
+  public ITCard() {
+    super("at/gv/egiz/smcc/ITCard");
+    pinSpecs.add(SS_PIN_SPEC);
+  }
+
+  @Override
+  @Exclusive
+  public byte[] getCertificate(KeyboxName keyboxName)
+      throws SignatureCardException, InterruptedException {
+
+    if (keyboxName != KeyboxName.SECURE_SIGNATURE_KEYPAIR) {
+      throw new IllegalArgumentException("Keybox " + keyboxName
+          + " not supported");
+    }
+
+    try {
+      CardChannel channel = getCardChannel();
+      // SELECT MF
+      execSELECT_FID(channel, MF);
+      // SELECT application
+      execSELECT_FID(channel, DF1);
+      // SELECT EF_C_Carta
+      byte[] fcx = execSELECT_FID(channel, EF_C_Carta);
+      int maxsize = ISO7816Utils.getLengthFromFCx(fcx);
+      // READ BINARY
+      byte[] certificate = ISO7816Utils.readTransparentFileTLV(channel, maxsize, (byte) 0x30);
+      if (certificate == null) {
+        throw new NotActivatedException();
+      }
+      return certificate;
+    } catch (FileNotFoundException e) {
+      throw new NotActivatedException();
+    } catch (CardException e) {
+      log.info("Failed to get certificate.", e);
+      throw new SignatureCardException(e);
+    }
+    
+  }
+
+  @Override
+  @Exclusive
+  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+      throws SignatureCardException, InterruptedException {
+      
+    throw new IllegalArgumentException("Infobox '" + infobox
+        + "' not supported.");
+  }
+
+  @Override
+  @Exclusive
+  public byte[] createSignature(InputStream input, KeyboxName keyboxName,
+      PINProvider provider, String alg) throws SignatureCardException,
+      InterruptedException, IOException {
+
+    if (KeyboxName.SECURE_SIGNATURE_KEYPAIR != keyboxName) {
+      throw new SignatureCardException("Card does not support key " + keyboxName + ".");
+    }
+    if (!"http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(alg)) {
+      throw new SignatureCardException("Card does not support algorithm " + alg + ".");
+    }
+
+    byte[] dst = new byte[] {
+        (byte) 0x83, // tag for algorithm reference
+        (byte) 0x01, // algorithm reference
+        (byte) 0x01  // private key reference
+    };
+    
+    MessageDigest md;
+    try {
+      md = MessageDigest.getInstance("SHA-1");
+    } catch (NoSuchAlgorithmException e) {
+      log.error("Failed to get MessageDigest.", e);
+      throw new SignatureCardException(e);
+    }
+    // calculate message digest
+    byte[] digest = new byte[md.getDigestLength()];
+    for (int l; (l = input.read(digest)) != -1;) {
+      md.update(digest, 0, l);
+    }
+    digest = md.digest();
+
+    try {
+      
+      CardChannel channel = getCardChannel();
+
+      // SELECT MF
+      execSELECT_FID(channel, MF);
+      // VERIFY
+      verifyPINLoop(channel, SS_PIN_SPEC, provider);
+      // MANAGE SECURITY ENVIRONMENT : RESTORE SE
+      execMSE(channel, 0xF3, 0x03, null);
+      // MANAGE SECURITY ENVIRONMENT : SET DST
+      execMSE(channel, 0xF1, 0xB8, dst);
+      // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
+      return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, digest);
+
+    } catch (CardException e) {
+      log.warn(e);
+      throw new SignatureCardException("Failed to access card.", e);
+    }
+
+  }
+
+  protected void verifyPINLoop(CardChannel channel, PINSpec spec,
+      PINProvider provider) throws LockedException, NotActivatedException,
+      SignatureCardException, InterruptedException, CardException {
+    
+    int retries = -1;
+    do {
+      retries = verifyPIN(channel, spec, provider, retries);
+    } while (retries >= -1);
+  }
+
+  protected int verifyPIN(CardChannel channel, PINSpec pinSpec,
+      PINProvider provider, int retries) throws SignatureCardException,
+      LockedException, NotActivatedException, InterruptedException,
+      CardException {
+    
+    VerifyAPDUSpec apduSpec = new VerifyAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x20, (byte) 0x00, pinSpec.getKID(), (byte) 0x08,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
+        0, VerifyAPDUSpec.PIN_FORMAT_ASCII, 8);
+    
+    ResponseAPDU resp = reader.verify(channel, apduSpec, pinSpec, provider, retries);
+    
+    if (resp.getSW() == 0x9000) {
+      return -2;
+    }
+    if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    }
+    
+    switch (resp.getSW()) {
+    case 0x6300:
+      // incorrect PIN, number of retries not provided
+      return -1;
+    case 0x6983:
+      // authentication method blocked
+      throw new LockedException();
+    case 0x6984:
+      // reference data not usable
+      throw new NotActivatedException();
+    case 0x6985:
+      // conditions of use not satisfied
+      throw new NotActivatedException();
+  
+    default:
+      String msg = "VERIFY failed. SW=" + Integer.toHexString(resp.getSW()); 
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    }
+    
+  }
+
+  protected byte[] execSELECT_FID(CardChannel channel, byte[] fid)
+      throws SignatureCardException, CardException {
+    
+    ResponseAPDU resp = channel.transmit(
+        new CommandAPDU(0x00, 0xA4, 0x00, 0x00, fid, 256));
+    
+    if (resp.getSW() == 0x6A82) {
+      String msg = "File or application not found FID="
+          + SMCCHelper.toString(fid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.info(msg);
+      throw new FileNotFoundException(msg);
+    } else if (resp.getSW() != 0x9000) {
+      String msg = "Failed to select application FID="
+          + SMCCHelper.toString(fid) + " SW="
+          + Integer.toHexString(resp.getSW()) + ".";
+      log.error(msg);
+      throw new SignatureCardException(msg);
+    } else {
+      return resp.getBytes();
+    }
+    
+  }
+  
+  protected void execMSE(CardChannel channel, int p1, int p2, byte[] data)
+      throws CardException, SignatureCardException {
+    
+    ResponseAPDU resp;
+    if (data == null) {
+      resp = channel.transmit(new CommandAPDU(0x00, 0x22, p1, p2));
+    } else {
+      resp = channel.transmit(new CommandAPDU(0x00, 0x22, p1, p2, data));
+    }
+    
+    if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException("MSE:SET failed: SW="
+          + Integer.toHexString(resp.getSW()));
+    }
+  }
+
+  protected byte[] execPSO_COMPUTE_DIGITAL_SIGNATURE(CardChannel channel,
+      byte[] hash) throws CardException, SignatureCardException {
+    
+    byte[] oid = new byte[] { (byte) 0x30, (byte) 0x21, (byte) 0x30,
+        (byte) 0x09, (byte) 0x06, (byte) 0x05, (byte) 0x2b,
+        (byte) 0x0e, (byte) 0x03, (byte) 0x02, (byte) 0x1a,
+        (byte) 0x05, (byte) 0x00, (byte) 0x04, (byte) 0x14 };
+    
+    ByteArrayOutputStream data = new ByteArrayOutputStream();
+    
+    try {
+      // header
+      data.write(new byte[] { (byte) 0x00, (byte) 0x00, (byte) 0x01 });
+      // padding
+      for (int i = 0, len = 125 - hash.length - oid.length; i < len; i++) {
+        data.write((byte) 0xFF);
+      }
+      data.write((byte) 0x00);
+      // oid
+      data.write(oid);
+      // hash
+      data.write(hash);
+    } catch (IOException e) {
+      throw new SignatureCardException(e);
+    }
+    
+    ResponseAPDU resp = channel
+          .transmit(new CommandAPDU(0x00, 0x2A, 0x80, 0x86, data.toByteArray(), 0x81));
+
+    
+    if (resp.getSW() == 0x6982) {
+      throw new SecurityStatusNotSatisfiedException();
+    } else if (resp.getSW() == 0x6983) {
+      throw new LockedException();
+    } else if (resp.getSW() != 0x9000) {
+      throw new SignatureCardException(
+          "PSO: COMPUTE DIGITAL SIGNATRE failed: SW="
+              + Integer.toHexString(resp.getSW()));
+    } else {
+      return resp.getData();
+    }
+}
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index a0c2391d..01de8a77 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -19,11 +19,16 @@ package at.gv.egiz.smcc;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.List;
 
+import javax.smartcardio.Card;
 import javax.smartcardio.CardChannel;
 import javax.smartcardio.CardException;
+import javax.smartcardio.CardTerminal;
 import javax.smartcardio.CommandAPDU;
 import javax.smartcardio.ResponseAPDU;
 
@@ -41,6 +46,8 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
   private static Log log = LogFactory.getLog(STARCOSCard.class);
 
   public static final byte[] MF = new byte[] { (byte) 0x3F, (byte) 0x00 };
+  
+  public static final byte[] EF_VERSION = new byte[] { (byte) 0x00, (byte) 0x32 };
 
   /**
    * Application ID <em>SV-Personendaten</em>.
@@ -106,19 +113,6 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
   public static final byte[] EF_C_X509_CA_CS_DS = new byte[] { (byte) 0xc6,
       (byte) 0x08 };
 
-  public static final byte[] DST_SS = new byte[] { (byte) 0x84, (byte) 0x03, // tag
-      // ,
-      // length
-      // (
-      // key
-      // desc
-      // .
-      // )
-      (byte) 0x80, (byte) 0x02, (byte) 0x00, // local, key ID, key version
-      (byte) 0x89, (byte) 0x03, // tag, length (algorithm ID)
-      (byte) 0x13, (byte) 0x35, (byte) 0x10 // ECDSA
-  };
-
   public static final byte KID_PIN_SS = (byte) 0x81;
 
   // Gewöhnliche Signatur (GS)
@@ -133,19 +127,6 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
   public static final byte[] EF_C_X509_CA_CS = new byte[] { (byte) 0x2f,
       (byte) 0x02 };
 
-  public static final byte[] DST_GS = new byte[] { (byte) 0x84, (byte) 0x03, // tag
-      // ,
-      // length
-      // (
-      // key
-      // desc
-      // .
-      // )
-      (byte) 0x80, (byte) 0x02, (byte) 0x00, // local, key ID, key version
-      (byte) 0x89, (byte) 0x03, // tag, length (algorithm ID)
-      (byte) 0x13, (byte) 0x35, (byte) 0x10 // ECDSA
-  };
-
   public static final byte KID_PIN_CARD = (byte) 0x01;
 
   private static final PINSpec CARD_PIN_SPEC =
@@ -155,9 +136,11 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
   private static final PINSpec SS_PIN_SPEC =
     new PINSpec(6, 12, "[0-9]", 
         "at/gv/egiz/smcc/STARCOSCard", "sig.pin", KID_PIN_SS, AID_DF_SS);
+  
+  protected double version = 1.1;
 
   /**
-   * Creates an new instance.
+   * Creates a new instance.
    */
   public STARCOSCard() {
     super("at/gv/egiz/smcc/STARCOSCard");
@@ -165,6 +148,35 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
     pinSpecs.add(SS_PIN_SPEC);
   }
  
+  /* (non-Javadoc)
+   * @see at.gv.egiz.smcc.AbstractSignatureCard#init(javax.smartcardio.Card, javax.smartcardio.CardTerminal)
+   */
+  @Override
+  public void init(Card card, CardTerminal cardTerminal) {
+    super.init(card, cardTerminal);
+    
+    // determine application version
+    CardChannel channel = getCardChannel();
+    try {
+      // SELECT MF
+      execSELECT_MF(channel);
+      // SELECT EF_VERSION
+      execSELECT_FID(channel, EF_VERSION);
+      // READ BINARY
+      byte[] ver = ISO7816Utils.readRecord(channel, 1);
+      if (ver[0] == (byte) 0xa5 && ver[2] == (byte) 0x53) {
+        version = (0x0F & ver[4]) + (0xF0 & ver[5])/160.0 + (0x0F & ver[5])/100.0;
+        String generation = (version < 1.2) ? "<= G2" : "G3";
+        log.info("e-card version=" + version + " (" + generation + ")");
+      }
+    } catch (CardException e) {
+      log.warn(e);
+    } catch (SignatureCardException e) {
+      log.warn(e);
+    }
+    
+  }
+
   @Override
   @Exclusive
   public byte[] getCertificate(KeyboxName keyboxName)
@@ -281,19 +293,57 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
 
   @Override
   @Exclusive
-  public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-      PINProvider provider) throws SignatureCardException, InterruptedException {
+  public byte[] createSignature(InputStream input, KeyboxName keyboxName,
+      PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException {
   
-    if (hash.length != 20) {
-      throw new IllegalArgumentException("Hash value must be of length 20.");
+    ByteArrayOutputStream dst = new ByteArrayOutputStream();
+    byte[] ht = null;
+    
+    MessageDigest md = null;
+    try {
+      if (version < 1.2 && "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(alg)) {
+        // local key ID '02' version '00'
+        dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x02, (byte) 0x00});
+        // algorithm ID ECDSA with SHA-1
+        dst.write(new byte[] {(byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10});
+        md = MessageDigest.getInstance("SHA-1");
+      } else if (version >= 1.2 && "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256".equals(alg)) {
+        // local key ID '02' version '00'
+        dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x02, (byte) 0x00});
+        // portable algorithm reference
+        dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x04});
+        // hash template
+        ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x40};
+        md = MessageDigest.getInstance("SHA256");
+      } else if (version >= 1.2 && "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".equals(alg)) {
+        // local key ID '03' version '00'
+        dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x03, (byte) 0x00});
+        // portable algorithm reference
+        dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x02});
+        // hash template
+        ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x40};
+        md = MessageDigest.getInstance("SHA256");
+      } else {
+        throw new SignatureCardException("e-card versio " + version + " does not support signature algorithm " + alg + ".");
+      }
+    } catch (NoSuchAlgorithmException e) {
+      log.error("Failed to get MessageDigest.", e);
+      throw new SignatureCardException(e);
     }
-  
+    
+    // calculate message digest
+    byte[] digest = new byte[md.getDigestLength()];
+    for (int l; (l = input.read(digest)) != -1;) {
+      md.update(digest, 0, l);
+    }
+    digest = md.digest();
+
     try {
       
       CardChannel channel = getCardChannel();
       
       if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName)) {
-
+        
         PINSpec spec = SS_PIN_SPEC;
         
         // SELECT MF
@@ -303,11 +353,21 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
         // VERIFY
         verifyPINLoop(channel, spec, provider);
         // MANAGE SECURITY ENVIRONMENT : SET DST
-        execMSE(channel, 0x41, 0xb6, DST_SS);
-        // PERFORM SECURITY OPERATION : HASH
-        execPSO_HASH(channel, hash);
-        // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
-        return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel);
+        execMSE(channel, 0x41, 0xb6, dst.toByteArray());
+        if (ht != null) {
+          // PERFORM SECURITY OPERATION : SET HT
+          execMSE(channel, 0x41, 0xaa, ht);
+        }
+        if (version < 1.2) {
+          // PERFORM SECURITY OPERATION : HASH
+          execPSO_HASH(channel, digest);
+          // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
+          return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, null);
+        } else {
+          // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
+          return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, digest);
+        }
+        
         
       } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) {
 
@@ -316,14 +376,17 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
         // SELECT application
         execSELECT_AID(channel, AID_DF_GS);
         // MANAGE SECURITY ENVIRONMENT : SET DST
-        execMSE(channel, 0x41, 0xb6, DST_GS);
+        execMSE(channel, 0x41, 0xb6, dst.toByteArray());
+        if (ht != null) {
+          // PERFORM SECURITY OPERATION : SET HT
+          execMSE(channel, 0x41, 0xaa, ht);
+        }
         // PERFORM SECURITY OPERATION : HASH
-        execPSO_HASH(channel, hash);
-        
+        execPSO_HASH(channel, digest);
         while (true) {
           try {
             // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
-            return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel);
+            return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, null);
           } catch (SecurityStatusNotSatisfiedException e) {
             verifyPINLoop(channel, spec, provider);
           }
@@ -682,7 +745,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
     ResponseAPDU resp = channel.transmit(
         new CommandAPDU(0x00, 0x22, p1, p2, data));
     if (resp.getSW() != 0x9000) {
-      throw new SignatureCardException("MSE:SET DST failed: SW="
+      throw new SignatureCardException("MSE:SET failed: SW="
           + Integer.toHexString(resp.getSW()));
     }
   }
@@ -701,10 +764,47 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
     }
   }
 
-  protected byte[] execPSO_COMPUTE_DIGITAL_SIGNATURE(CardChannel channel)
+  protected void execPSO_HASH(CardChannel channel, InputStream input)
+      throws SignatureCardException, CardException {
+    ResponseAPDU resp;
+    int blockSize = 64;
+    byte[] b = new byte[blockSize];
+    try {
+      ByteArrayOutputStream data = new ByteArrayOutputStream();
+      // initialize
+      data.write((byte) 0x90);
+      data.write((byte) 0x00);
+      resp = channel.transmit(
+          new CommandAPDU(0x10, 0x2A, 0x90, 0xA0, data.toByteArray()));
+      data.reset();
+      for (int l; (l = input.read(b)) != -1;) {
+        data.write((byte) 0x80);
+        data.write(l);
+        data.write(b, 0, l);
+        resp = channel.transmit(
+            new CommandAPDU((l == blockSize) ? 0x10 : 0x00, 0x2A, 0x90, 0xA0, data.toByteArray()));
+        if (resp.getSW() != 0x9000) {
+          throw new SignatureCardException("PSO:HASH failed: SW="
+              + Integer.toHexString(resp.getSW()));
+        }
+        data.reset();
+      }
+    } catch (IOException e) {
+      throw new SignatureCardException(e);
+    }
+    
+  }
+
+  protected byte[] execPSO_COMPUTE_DIGITAL_SIGNATURE(CardChannel channel, byte[] hash)
       throws CardException, SignatureCardException {
-    ResponseAPDU resp = channel.transmit(
-        new CommandAPDU(0x00, 0x2A, 0x9E, 0x9A, 256));
+    ResponseAPDU resp;
+    if (hash != null) {
+      resp = channel.transmit(
+          new CommandAPDU(0x00, 0x2A, 0x9E, 0x9A, hash, 256));
+    } else {
+      resp = channel.transmit(
+          new CommandAPDU(0x00, 0x2A, 0x9E, 0x9A, 256));
+    }
     if (resp.getSW() == 0x6982) {
       throw new SecurityStatusNotSatisfiedException();
     } else if (resp.getSW() == 0x6983) {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
index 279362c0..670704d5 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
@@ -20,6 +20,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.nio.charset.Charset;
 import java.security.InvalidKeyException;
@@ -308,7 +309,7 @@ public class SWCard implements SignatureCard {
   }
 
   @Override
-  public byte[] createSignature(byte[] hash, KeyboxName keyboxName, PINProvider provider) throws SignatureCardException, InterruptedException {
+  public byte[] createSignature(InputStream input, KeyboxName keyboxName, PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException {
 
     // KeyStore password
     char[] password = getPassword(keyboxName);
@@ -363,7 +364,10 @@ public class SWCard implements SignatureCard {
     try {
       Signature signature = Signature.getInstance(algorithm);
       signature.initSign(privateKey);
-      signature.update(hash);
+      int l;
+      for (byte[] b = new byte[20]; (l = input.read(b)) != -1;) {
+        signature.update(b, 0, l);
+      }
       return signature.sign();
     } catch (NoSuchAlgorithmException e) {
       String msg = "Algorithm + '" + algorithm + "' not supported for signing.";
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
index 1a163783..3d56f97b 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
@@ -18,6 +18,9 @@
 package at.gv.egiz.smcc;
 
 import at.gv.egiz.smcc.ccid.CCID;
+
+import java.io.IOException;
+import java.io.InputStream;
 import java.util.Locale;
 
 import javax.smartcardio.Card;
@@ -101,15 +104,17 @@ public interface SignatureCard {
 
   /**
    * 
-   * @param hash
+   * @param input
    * @param keyboxName
    * @param provider
+   * @param alg TODO
    * @return
    * @throws at.gv.egiz.smcc.SignatureCardException
    * @throws java.lang.InterruptedException if applet is destroyed while in pin dialog
+   * @throws IOException 
    */
-  public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-      PINProvider provider) throws SignatureCardException, InterruptedException;
+  public byte[] createSignature(InputStream input, KeyboxName keyboxName,
+      PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException;
 
   public CCID getReader();
 
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
index 26844473..47053f98 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCardFactory.java
@@ -170,21 +170,21 @@ public class SignatureCardFactory {
         },
         "at.gv.egiz.smcc.STARCOSCard"));
     
-//    // e-card G3
-//    supportedCards.add(new SupportedCard(
-//        // ATR  (3b:dd:96:ff:81:b1:fe:45:1f:03:80:31:b0:52:02:03:64:04:1b:b4:22:81:05:18)
-//        new byte[] {
-//            (byte) 0x3b, (byte) 0xdd, (byte) 0x96, (byte) 0xff, (byte) 0x81, (byte) 0xb1, (byte) 0xfe, (byte) 0x45, 
-//            (byte) 0x1f, (byte) 0x03, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
-//            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00
-//        },
-//        // mask (
-//        new byte[] {
-//            (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, 
-//            (byte) 0xff, (byte) 0xff, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
-//            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 
-//        },
-//        "at.gv.egiz.smcc.STARCOSCard"));
+    // e-card G3
+    supportedCards.add(new SupportedCard(
+        // ATR  (3b:dd:96:ff:81:b1:fe:45:1f:03:80:31:b0:52:02:03:64:04:1b:b4:22:81:05:18)
+        new byte[] {
+            (byte) 0x3b, (byte) 0xdd, (byte) 0x96, (byte) 0xff, (byte) 0x81, (byte) 0xb1, (byte) 0xfe, (byte) 0x45, 
+            (byte) 0x1f, (byte) 0x03, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00
+        },
+        // mask (
+        new byte[] {
+            (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, 
+            (byte) 0xff, (byte) 0xff, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 
+            (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 
+        },
+        "at.gv.egiz.smcc.STARCOSCard"));
 
     // a-sign premium
     supportedCards.add(new SupportedCard(
@@ -202,6 +202,72 @@ public class SignatureCardFactory {
         },
         "at.gv.egiz.smcc.ACOSCard"));
 
+    // BELPIC
+    supportedCards.add(new SupportedCard(
+            // ATR (3b:98:13:40:0A:A5:03:01:01:01:AD:13:11)
+            new byte[] { (byte) 0x3b, (byte) 0x98, (byte) 0x13,
+                    (byte) 0x40, (byte) 0x0a, (byte) 0xa5, (byte) 0x03,
+                    (byte) 0x01, (byte) 0x01, (byte) 0x01, (byte) 0xad,
+                    (byte) 0x13, (byte) 0x11 },
+            // mask (ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff)
+            new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                    (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                    (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                    (byte) 0xff, (byte) 0xff },
+            "at.gv.egiz.smcc.BELPICCard"));
+    
+    // ITCards
+    supportedCards.add(new SupportedCard(
+    // ATR =
+    // [3b:ff:18:00:ff:81:31:fe:55:00:6b:02:09:02:00:01:11:01:43:4e:53:11:31:80:8e]
+            new byte[] { (byte) 0x3b, (byte) 0xff, (byte) 0x18,
+                    (byte) 0x00, (byte) 0xff, (byte) 0x81, (byte) 0x31,
+                    (byte) 0xfe, (byte) 0x55, (byte) 0x00, (byte) 0x6b,
+                    (byte) 0x02, (byte) 0x09 /*
+                                             * , (byte) 0x02, (byte) 0x00,
+                                             * (byte) 0x01, (byte) 0x11,
+                                             * (byte) 0x01, (byte) 0x43,
+                                             * (byte) 0x4e, (byte) 0x53,
+                                             * (byte) 0x11, (byte) 0x31,
+                                             * (byte) 0x80, (byte) 0x8e
+                                             */
+            },
+            // mask (ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff)
+            new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                    (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                    (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                    (byte) 0xff, (byte) 0xff /*
+                                             * , (byte) 0xff, (byte) 0xff,
+                                             * (byte) 0xff, (byte) 0xff,
+                                             * (byte) 0xff, (byte) 0xff,
+                                             * (byte) 0xff, (byte) 0xff,
+                                             * (byte) 0xff, (byte) 0xff,
+                                             * (byte) 0xff, (byte) 0xff
+                                             */
+            }, "at.gv.egiz.smcc.ITCard"));
+    supportedCards.add(new SupportedCard(
+        // ATR
+        // (3B:FF:18:00:FF:C1:0A:31:FE:55:00:6B:05:08:C8:05:01:01:01:43:4E:53:10:31:80:1C)
+        new byte[] { (byte) 0x3b, (byte) 0xff, (byte) 0x18,
+                (byte) 0x00, (byte) 0xFF, (byte) 0xC1, (byte) 0x0a,
+                (byte) 0x31, (byte) 0xfe, (byte) 0x55, (byte) 0x00,
+                (byte) 0x6B, (byte) 0x05, (byte) 0x08, (byte) 0xC8,
+                (byte) 0x05, (byte) 0x01, (byte) 0x01, (byte) 0x01,
+                (byte) 0x43, (byte) 0x4E, (byte) 0x53, (byte) 0x10,
+                (byte) 0x31, (byte) 0x80, (byte) 0x1C },
+        // mask
+        // (ff:ff:ff:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:00:00:00:00)
+        new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+                (byte) 0xff, (byte) 0xff, (byte) 0xff },
+        "at.gv.egiz.smcc.ITCard"));
+
+    
+    
   }
 
   /**
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/util/ISO7816Utils.java b/smcc/src/main/java/at/gv/egiz/smcc/util/ISO7816Utils.java
index c5c7cbc9..fcd0b876 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/util/ISO7816Utils.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/util/ISO7816Utils.java
@@ -103,6 +103,14 @@ public class ISO7816Utils {
 
     TransparentFileInputStream is = openTransparentFileInputStream(channel,
         maxSize);
+    
+    return readTransparentFileTLV(is, maxSize, expectedType);
+
+  }
+  
+  public static byte[] readTransparentFileTLV(TransparentFileInputStream is, int maxSize,
+      byte expectedType) throws CardException, SignatureCardException {
+
 
     try {
 
@@ -170,7 +178,8 @@ public class ISO7816Utils {
       while (pos < (fcx[1] - 2)) {
         switch (fcx[pos]) {
         
-        case (byte) 0x80: {
+        case (byte) 0x80: 
+        case (byte) 0x81: {
           len = 0xFF & fcx[pos + 2];
           for (int i = 1; i < fcx[pos + 1]; i++) {
             len<<=8;
diff --git a/smcc/src/main/resources/at/gv/egiz/smcc/BELPICCard.properties b/smcc/src/main/resources/at/gv/egiz/smcc/BELPICCard.properties
new file mode 100644
index 00000000..71267394
--- /dev/null
+++ b/smcc/src/main/resources/at/gv/egiz/smcc/BELPICCard.properties
@@ -0,0 +1,3 @@
+#pin.name=PIN
+sig.pin.name=PIN
+sig.pin.length=4-12
\ No newline at end of file
diff --git a/smcc/src/main/resources/at/gv/egiz/smcc/ITCard.properties b/smcc/src/main/resources/at/gv/egiz/smcc/ITCard.properties
new file mode 100644
index 00000000..e0222a70
--- /dev/null
+++ b/smcc/src/main/resources/at/gv/egiz/smcc/ITCard.properties
@@ -0,0 +1,3 @@
+#pin.name=PIN
+sig.pin.name=PIN
+sig.pin.length=5-8
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
index 2a55357d..b3bd07ab 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
@@ -18,6 +18,8 @@ package at.gv.egiz.smcc;
 
 import static org.junit.Assert.*;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -178,13 +180,10 @@ public abstract class CardTest {
   @Test(expected = CancelledException.class)
   public void testSignSIGCancel() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
       
         SignatureCard signatureCard = createSignatureCard();
       
-        MessageDigest md = MessageDigest.getInstance("SHA-1");
-        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-      
         PINProvider pinProvider = new PINProvider() {
           @Override
           public char[] providePIN(PINSpec spec, int retries)
@@ -193,21 +192,19 @@ public abstract class CardTest {
           }
         };
       
-        signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
-            pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR, pinProvider,
+        null);
       
       }
 
   @Test(expected = CancelledException.class)
   public void testSignDECCancel() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
       
         SignatureCard signatureCard = createSignatureCard();
       
-        MessageDigest md = MessageDigest.getInstance("SHA-1");
-        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-      
         PINProvider pinProvider = new PINProvider() {
           @Override
           public char[] providePIN(PINSpec spec, int retries)
@@ -216,21 +213,19 @@ public abstract class CardTest {
           }
         };
       
-        signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
-            pinProvider);
+        signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+            .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
+            pinProvider, null);
       
       }
 
   @Test(expected = InterruptedException.class)
   public void testSignSIGInterrrupted() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
       
         SignatureCard signatureCard = createSignatureCard();
       
-        MessageDigest md = MessageDigest.getInstance("SHA-1");
-        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-      
         PINProvider pinProvider = new PINProvider() {
           @Override
           public char[] providePIN(PINSpec spec, int retries)
@@ -239,21 +234,19 @@ public abstract class CardTest {
           }
         };
       
-        signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
-            pinProvider);
+        signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+            .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+            pinProvider, null);
       
       }
 
   @Test(expected = InterruptedException.class)
   public void testSignDECInterrrupted() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
       
         SignatureCard signatureCard = createSignatureCard();
       
-        MessageDigest md = MessageDigest.getInstance("SHA-1");
-        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-      
         PINProvider pinProvider = new PINProvider() {
           @Override
           public char[] providePIN(PINSpec spec, int retries)
@@ -262,21 +255,19 @@ public abstract class CardTest {
           }
         };
       
-        signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
-            pinProvider);
+        signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+            .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
+            pinProvider, null);
       
       }
 
   @Test(expected = CancelledException.class)
   public void testSignSIGConcurrent() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
       
         final SignatureCard signatureCard = createSignatureCard();
       
-        MessageDigest md = MessageDigest.getInstance("SHA-1");
-        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-      
         PINProvider pinProvider = new PINProvider() {
           @Override
           public char[] providePIN(PINSpec spec, int retries)
@@ -294,21 +285,19 @@ public abstract class CardTest {
           }
         };
       
-        signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
-            pinProvider);
+        signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+            .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+            pinProvider, null);
       
       }
 
   @Test(expected = CancelledException.class)
   public void testSignDECConcurrent() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
       
         final SignatureCard signatureCard = createSignatureCard();
       
-        MessageDigest md = MessageDigest.getInstance("SHA-1");
-        byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-      
         PINProvider pinProvider = new PINProvider() {
           @Override
           public char[] providePIN(PINSpec spec, int retries)
@@ -326,8 +315,9 @@ public abstract class CardTest {
           }
         };
       
-        signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
-            pinProvider);
+        signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+            .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
+            pinProvider, null);
       
       }
 
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
index 90bb039e..56d1e4b2 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
@@ -21,6 +21,8 @@ import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -125,7 +127,7 @@ public abstract class ACOSCardTest extends CardTest {
   @Test
   public void testSignSIG() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     char[] pin = "123456".toCharArray();
 
@@ -134,11 +136,9 @@ public abstract class ACOSCardTest extends CardTest {
     ACOSApplSIG appl = (ACOSApplSIG) card.getApplication(ACOSAppl.AID_SIG);
     appl.setPin(ACOSApplSIG.KID_PIN_SIG, pin);
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
-    byte[] signature = signatureCard.createSignature(hash,
-        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new TestPINProvider(pin));
+    byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")),
+        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new TestPINProvider(pin), null);
 
     assertNotNull(signature);
 
@@ -147,7 +147,7 @@ public abstract class ACOSCardTest extends CardTest {
   @Test
   public void testSignDEC() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     char[] pin = "1234".toCharArray();
 
@@ -156,11 +156,9 @@ public abstract class ACOSCardTest extends CardTest {
     ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
     appl.setPin(ACOSApplDEC.KID_PIN_DEC, pin);
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
-    byte[] signature = signatureCard.createSignature(hash,
-        KeyboxName.CERITIFIED_KEYPAIR, new TestPINProvider(pin));
+    byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")),
+        KeyboxName.CERITIFIED_KEYPAIR, new TestPINProvider(pin), null);
 
     assertNotNull(signature);
 
@@ -169,74 +167,66 @@ public abstract class ACOSCardTest extends CardTest {
   @Test(expected = LockedException.class)
   public void testSignSIGInvalidPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     SignatureCard signatureCard = createSignatureCard();
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
     TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
 
-    signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
-        pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+        pinProvider, null);
 
   }
 
   @Test(expected = LockedException.class)
   public void testSignDECInvalidPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     SignatureCard signatureCard = createSignatureCard();
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
     TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
 
-    signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
-        pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
+        pinProvider, null);
 
   }
 
   @Test(expected = LockedException.class)
   public void testSignSIGBlockedPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     SignatureCard signatureCard = createSignatureCard();
     CardEmul card = (CardEmul) signatureCard.getCard();
     ACOSApplSIG appl = (ACOSApplSIG) card.getApplication(ACOSAppl.AID_SIG);
     appl.setPin(ACOSApplSIG.KID_PIN_SIG, null);
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
     TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
 
-    signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
-        pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+        pinProvider, null);
 
   }
 
   @Test(expected = LockedException.class)
   public void testSignDECBlockedPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     SignatureCard signatureCard = createSignatureCard();
     CardEmul card = (CardEmul) signatureCard.getCard();
     ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
     appl.setPin(ACOSApplDEC.KID_PIN_DEC, null);
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
     TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
 
-    signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
-        pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
+        pinProvider, null);
 
   }
 
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
index 89e2ca65..b7dc9a0c 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
@@ -20,6 +20,8 @@ import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -147,7 +149,7 @@ public class STARCOSCardTest extends CardTest {
   @Test
   public void testSignSichereSignatur() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     char[] pin = "123456".toCharArray();
 
@@ -156,11 +158,9 @@ public class STARCOSCardTest extends CardTest {
     STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
     appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, pin);
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
-    byte[] signature = signatureCard.createSignature(hash,
-        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new TestPINProvider(pin));
+    byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")),
+        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new TestPINProvider(pin), null);
 
     assertNotNull(signature);
 
@@ -169,7 +169,7 @@ public class STARCOSCardTest extends CardTest {
   @Test
   public void testSignGewoehnlicheSignatur() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     char[] pin = "1234".toCharArray();
 
@@ -178,11 +178,9 @@ public class STARCOSCardTest extends CardTest {
     STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
     channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, pin);
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
-    byte[] signature = signatureCard.createSignature(hash,
-        KeyboxName.CERITIFIED_KEYPAIR, new TestPINProvider(pin));
+    byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")),
+        KeyboxName.CERITIFIED_KEYPAIR, new TestPINProvider(pin), null);
 
     assertNotNull(signature);
 
@@ -191,75 +189,67 @@ public class STARCOSCardTest extends CardTest {
   @Test(expected = LockedException.class)
   public void testSignSichereSignaturInvalidPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     SignatureCard signatureCard = createSignatureCard();
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
     TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
 
-    signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
-        pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+        pinProvider, null);
 
   }
 
   @Test(expected = LockedException.class)
   public void testSignGewoehnlicheSignaturInvalidPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     SignatureCard signatureCard = createSignatureCard();
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
     TestPINProvider pinProvider = new TestPINProvider("1234".toCharArray());
 
-    signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
-        pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
+        pinProvider, null);
 
   }
 
   @Test(expected = LockedException.class)
   public void testSignSichereSignaturBlockedPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     SignatureCard signatureCard = createSignatureCard();
     CardEmul card = (CardEmul) signatureCard.getCard();
     STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
     appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, null);
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
     TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
     assertTrue(pinProvider.getProvided() <= 0);
 
-    signatureCard.createSignature(hash, KeyboxName.SECURE_SIGNATURE_KEYPAIR,
-        pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
+        pinProvider, null);
 
   }
 
   @Test(expected = LockedException.class)
   public void testSignGewoehnlicheSignaturBlockedPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
-      NoSuchAlgorithmException, UnsupportedEncodingException {
+      NoSuchAlgorithmException, IOException {
 
     SignatureCard signatureCard = createSignatureCard();
     CardEmul card = (CardEmul) signatureCard.getCard();
     STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
     channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, null);
 
-    MessageDigest md = MessageDigest.getInstance("SHA-1");
-    byte[] hash = md.digest("MOCCA".getBytes("ASCII"));
-
     TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
 
-    signatureCard.createSignature(hash, KeyboxName.CERITIFIED_KEYPAIR,
-        pinProvider);
+    signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
+        .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
+        pinProvider, null);
 
   }
   
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
index 560f1373..58d7b305 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
@@ -18,9 +18,8 @@ package at.gv.egiz.bku.smccstal;
 
 import at.gv.egiz.bku.gui.BKUGUIFacade;
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.InputStream;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
@@ -44,7 +43,6 @@ import at.gv.egiz.stal.SignRequest;
 import at.gv.egiz.stal.SignResponse;
 import at.gv.egiz.stal.signedinfo.ObjectFactory;
 import at.gv.egiz.stal.signedinfo.SignedInfoType;
-import at.gv.egiz.stal.util.JCEAlgorithmNames;
 
 public class SignRequestHandler extends AbstractRequestHandler {
 
@@ -77,18 +75,11 @@ public class SignRequestHandler extends AbstractRequestHandler {
                 JAXBElement<SignedInfoType> si = (JAXBElement<SignedInfoType>) unmarshaller.unmarshal(is);
                 String signatureMethod = si.getValue().getSignatureMethod().getAlgorithm();
                 log.debug("Found signature method: " + signatureMethod);
-                String jceName = JCEAlgorithmNames.getJCEHashName(signatureMethod);
-                if (jceName == null) {
-                    log.error("Hash algorithm not supported:");
-                    return new ErrorResponse(4006);
-                }
-                MessageDigest md = MessageDigest.getInstance(jceName);
-                md.update(signReq.getSignedInfo());
                 KeyboxName kb = SignatureCard.KeyboxName.getKeyboxName(signReq.getKeyIdentifier());
 
-                byte[] resp = card.createSignature(md.digest(), kb,
+                byte[] resp = card.createSignature(new ByteArrayInputStream(signReq.getSignedInfo()), kb,
                         new PINProviderFactory(card.getReader(), gui)
-                        .getSignaturePINProvider(secureViewer, si.getValue()));
+                        .getSignaturePINProvider(secureViewer, si.getValue()), signatureMethod);
                 if (resp == null) {
                     return new ErrorResponse(6001);
                 }
@@ -127,9 +118,9 @@ public class SignRequestHandler extends AbstractRequestHandler {
             } catch (JAXBException e) {
                 log.error("Cannot unmarshall signed info", e);
                 return new ErrorResponse(1000);
-            } catch (NoSuchAlgorithmException e) {
-                log.error(e);
-                return new ErrorResponse(1000);
+            } catch (IOException e) {
+              log.error("Error while creating signature: " + e);
+              return new ErrorResponse(4000);
             } 
         } else {
             log.fatal("Got unexpected STAL request: " + request);
diff --git a/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java b/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
index 36880e68..16d3efa9 100644
--- a/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
+++ b/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
@@ -1,5 +1,6 @@
 package at.gv.egiz.smcc;
 
+import java.io.InputStream;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
@@ -37,8 +38,8 @@ public class AbstractSMCCSTALTest extends AbstractSMCCSTAL implements
    signatureCard = new SignatureCard() {
 
     @Override
-    public byte[] createSignature(byte[] hash, KeyboxName keyboxName,
-        PINProvider provider) throws SignatureCardException {
+    public byte[] createSignature(InputStream input, KeyboxName keyboxName,
+        PINProvider provider, String alg) throws SignatureCardException {
       // TODO Auto-generated method stub
       return null;
     }
diff --git a/utils/src/main/java/at/gv/egiz/xades/QualifyingPropertiesFactory.java b/utils/src/main/java/at/gv/egiz/xades/QualifyingPropertiesFactory.java
index 82cba624..6f694b91 100644
--- a/utils/src/main/java/at/gv/egiz/xades/QualifyingPropertiesFactory.java
+++ b/utils/src/main/java/at/gv/egiz/xades/QualifyingPropertiesFactory.java
@@ -104,14 +104,14 @@ public class QualifyingPropertiesFactory {
 
   }
   
-  public DigestAlgAndValueType createDigestAlgAndValueType(X509Certificate certificate) throws QualifyingPropertiesException {
+  public DigestAlgAndValueType createDigestAlgAndValueType(X509Certificate certificate, DigestMethod dm) throws QualifyingPropertiesException {
     
     DigestMethodType digestMethodType = dsFactory.createDigestMethodType();
-    digestMethodType.setAlgorithm(DigestMethod.SHA1);
-
+    digestMethodType.setAlgorithm(dm.getAlgorithm());
+    
     byte[] digest;
     try {
-      MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
+      MessageDigest messageDigest = MessageDigest.getInstance(dm.getAlgorithm());
       digest = messageDigest.digest(certificate.getEncoded());
     } catch (CertificateEncodingException e) {
       throw new QualifyingPropertiesException(e);
@@ -155,7 +155,10 @@ public class QualifyingPropertiesFactory {
     return dataObjectFormatType;
   }
   
-  public JAXBElement<QualifyingPropertiesType> createQualifyingProperties111(String target, Date signingTime, List<X509Certificate> certificates, String idValue, List<DataObjectFormatType> dataObjectFormats) throws QualifyingPropertiesException {
+  public JAXBElement<QualifyingPropertiesType> createQualifyingProperties111(
+      String target, Date signingTime, List<X509Certificate> certificates,
+      String idValue, List<DataObjectFormatType> dataObjectFormats,
+      DigestMethod digestMethod) throws QualifyingPropertiesException {
 
     GregorianCalendar gregorianCalendar = new GregorianCalendar();
     gregorianCalendar.setTimeZone(TimeZone.getTimeZone("UTC"));
@@ -175,7 +178,7 @@ public class QualifyingPropertiesFactory {
     for (X509Certificate certificate : certificates) {
       
       CertIDType certIDType = qpFactory.createCertIDType();
-      certIDType.setCertDigest(createDigestAlgAndValueType(certificate));
+      certIDType.setCertDigest(createDigestAlgAndValueType(certificate, digestMethod));
       certIDType.setIssuerSerial(createX509IssuerSerialType(certificate));
       
       certIDs.add(certIDType);
-- 
cgit v1.2.3


From 3da4655d011dfc2f04f9e4ac28b38aee42d01bc0 Mon Sep 17 00:00:00 2001
From: clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Tue, 5 Jan 2010 10:06:47 +0000
Subject: Features [#437] Handle pinpad [64:03] response apdu correctly [#445]
 pin entry feedback for VERIFY_PIN_START/FINISH [#471] Provide SecureViewer
 Link before Pinpad PinEntry timeout starts

Bugs
[#479] PIN Managment Applet allows unmatching new pin and pin confirmation
[#480] PIN Management displays blocked PINs as ACTIVE
[#486] Not possible to select 3 times in series the same item from signedReferencesList for display in secureViewer
[#506] change pin dialog (gui) issues
[#508] e-card G3 PIN activation (with TransportPIN) not supported
[#509] closing secure viewer window (WINDOW_CLOSING) leaves "signature data is displayed in viewer" dialog in applet


git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@565 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java |  28 +-
 .../main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java   | 765 +++++++++------------
 .../main/java/at/gv/egiz/bku/gui/PinDocument.java  | 125 +---
 .../at/gv/egiz/bku/gui/SecureViewerDialog.java     | 118 ++--
 .../at/gv/egiz/bku/gui/Messages.properties         |   9 +-
 .../at/gv/egiz/bku/gui/Messages_en.properties      |   9 +-
 .../test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java |  13 +-
 .../at/gv/egiz/bku/gui/ComparePinDocument.java     | 102 +++
 .../at/gv/egiz/bku/gui/ExtendedPinDocument.java    | 108 +++
 .../java/at/gv/egiz/bku/gui/PINManagementGUI.java  | 163 +++--
 .../at/gv/egiz/bku/gui/PINManagementGUIFacade.java |  66 +-
 .../gv/egiz/bku/gui/ActivationMessages.properties  |  36 +-
 .../egiz/bku/gui/ActivationMessages_en.properties  |  34 +-
 BKUOnline/src/main/resources/log4j.properties      |   2 +-
 BKUOnline/src/main/webapp/META-INF/context.xml     |   2 +-
 smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java   |  44 +-
 .../at/gv/egiz/smcc/AbstractSignatureCard.java     |  14 +-
 smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java |  11 +-
 .../java/at/gv/egiz/smcc/ChangePINProvider.java    |  36 -
 smcc/src/main/java/at/gv/egiz/smcc/ITCard.java     |  11 +-
 .../at/gv/egiz/smcc/PINConfirmationException.java  |  19 -
 .../java/at/gv/egiz/smcc/PINFormatException.java   |  19 -
 .../java/at/gv/egiz/smcc/PINMgmtSignatureCard.java |  11 +-
 .../src/main/java/at/gv/egiz/smcc/PINProvider.java |  45 --
 .../at/gv/egiz/smcc/ResetRetryCounterAPDUSpec.java |  38 +
 .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java | 208 +++---
 smcc/src/main/java/at/gv/egiz/smcc/SWCard.java     | 106 +--
 .../main/java/at/gv/egiz/smcc/SignatureCard.java   |   9 +-
 .../java/at/gv/egiz/smcc/pin/gui/ModifyPINGUI.java |  36 +
 .../at/gv/egiz/smcc/pin/gui/ModifyPINProvider.java |  48 ++
 .../main/java/at/gv/egiz/smcc/pin/gui/PINGUI.java  |  42 ++
 .../java/at/gv/egiz/smcc/pin/gui/PINProvider.java  |  49 ++
 .../java/at/gv/egiz/smcc/reader/CardReader.java    |  92 +++
 .../at/gv/egiz/smcc/reader/DefaultCardReader.java  | 106 +++
 .../at/gv/egiz/smcc/reader/PinpadCardReader.java   | 703 +++++++++++++++++++
 .../java/at/gv/egiz/smcc/reader/ReaderFactory.java | 128 ++++
 .../test/java/at/gv/egiz/smcc/AbstractAppl.java    |   1 +
 smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java   |  14 +-
 smcc/src/test/java/at/gv/egiz/smcc/CardTest.java   | 171 +----
 smcc/src/test/java/at/gv/egiz/smcc/PIN.java        |  10 +-
 .../test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java |   2 +-
 .../java/at/gv/egiz/smcc/acos/A03CardEmul.java     |   7 +-
 .../java/at/gv/egiz/smcc/acos/A03CardTest.java     |   9 +-
 .../java/at/gv/egiz/smcc/acos/A04CardEmul.java     |   7 +-
 .../java/at/gv/egiz/smcc/acos/A04CardTest.java     |  12 +-
 .../java/at/gv/egiz/smcc/acos/ACOSApplDEC.java     |   2 +-
 .../java/at/gv/egiz/smcc/acos/ACOSApplSIG.java     |   2 +-
 .../java/at/gv/egiz/smcc/acos/ACOSCardTest.java    |  21 +-
 .../egiz/smcc/pin/gui/CancelChangePINProvider.java |  39 ++
 .../at/gv/egiz/smcc/pin/gui/CancelPINProvider.java |  29 +
 .../at/gv/egiz/smcc/pin/gui/ChangePINProvider.java |  49 ++
 .../at/gv/egiz/smcc/pin/gui/DummyChangePINGUI.java |  68 ++
 .../java/at/gv/egiz/smcc/pin/gui/DummyPINGUI.java  |  48 ++
 .../gv/egiz/smcc/pin/gui/InterruptPINProvider.java |  34 +
 .../smcc/pin/gui/InvalidChangePINProvider.java     |  56 ++
 .../gv/egiz/smcc/pin/gui/InvalidPINProvider.java   |  48 ++
 .../gv/egiz/smcc/pin/gui/SMCCTestPINProvider.java  |  43 ++
 .../java/at/gv/egiz/smcc/starcos/STARCOSAppl.java  |  23 -
 .../starcos/STARCOSApplGewoehnlicheSignatur.java   |  27 +-
 .../gv/egiz/smcc/starcos/STARCOSApplInfobox.java   |   5 +
 .../smcc/starcos/STARCOSApplSichereSignatur.java   |  36 +-
 .../egiz/smcc/starcos/STARCOSCardChannelEmul.java  | 105 ++-
 .../at/gv/egiz/smcc/starcos/STARCOSCardEmul.java   |  24 +-
 .../at/gv/egiz/smcc/starcos/STARCOSCardTest.java   | 132 ++--
 .../smcc/starcos/STARCOSG3CardChannelEmul.java     |  46 ++
 .../at/gv/egiz/smcc/starcos/STARCOSG3CardEmul.java |  57 ++
 .../at/gv/egiz/smcc/starcos/STARCOSG3CardTest.java | 119 ++++
 smccSTAL/src/main/java/META-INF/MANIFEST.MF        |   3 -
 .../gv/egiz/bku/pin/gui/AbstractPINProvider.java   |  60 ++
 .../java/at/gv/egiz/bku/pin/gui/SignPINGUI.java    | 136 ++++
 .../at/gv/egiz/bku/pin/gui/SignPINProvider.java    | 105 +++
 .../java/at/gv/egiz/bku/pin/gui/VerifyPINGUI.java  |  76 ++
 .../at/gv/egiz/bku/pin/gui/VerifyPINProvider.java  |  72 ++
 .../gv/egiz/bku/smccstal/AbstractPINProvider.java  |  67 --
 .../bku/smccstal/InfoBoxReadRequestHandler.java    |   9 +-
 .../gv/egiz/bku/smccstal/PINProviderFactory.java   | 327 ---------
 .../gv/egiz/bku/smccstal/SignRequestHandler.java   |   4 +-
 .../java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java |  13 +-
 .../at/gv/egiz/bku/pin/gui/ManagementPINGUI.java   |  88 +++
 .../gv/egiz/bku/pin/gui/ManagementPINProvider.java |  89 +++
 .../bku/smccstal/ManagementPINProviderFactory.java | 246 -------
 .../bku/smccstal/PINManagementRequestHandler.java  | 210 ++++--
 82 files changed, 4011 insertions(+), 2095 deletions(-)
 create mode 100644 BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/ComparePinDocument.java
 create mode 100644 BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/ExtendedPinDocument.java
 delete mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ChangePINProvider.java
 delete mode 100644 smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/ResetRetryCounterAPDUSpec.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/pin/gui/ModifyPINGUI.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/pin/gui/ModifyPINProvider.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/pin/gui/PINGUI.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/pin/gui/PINProvider.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/reader/CardReader.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/reader/DefaultCardReader.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/reader/PinpadCardReader.java
 create mode 100644 smcc/src/main/java/at/gv/egiz/smcc/reader/ReaderFactory.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/CancelChangePINProvider.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/CancelPINProvider.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/ChangePINProvider.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/DummyChangePINGUI.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/DummyPINGUI.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InterruptPINProvider.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InvalidChangePINProvider.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InvalidPINProvider.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/pin/gui/SMCCTestPINProvider.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardChannelEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardEmul.java
 create mode 100644 smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardTest.java
 delete mode 100644 smccSTAL/src/main/java/META-INF/MANIFEST.MF
 create mode 100644 smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/AbstractPINProvider.java
 create mode 100644 smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/SignPINGUI.java
 create mode 100644 smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/SignPINProvider.java
 create mode 100644 smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/VerifyPINGUI.java
 create mode 100644 smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/VerifyPINProvider.java
 delete mode 100644 smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractPINProvider.java
 delete mode 100644 smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PINProviderFactory.java
 create mode 100644 smccSTALExt/src/main/java/at/gv/egiz/bku/pin/gui/ManagementPINGUI.java
 create mode 100644 smccSTALExt/src/main/java/at/gv/egiz/bku/pin/gui/ManagementPINProvider.java
 delete mode 100644 smccSTALExt/src/main/java/at/gv/egiz/bku/smccstal/ManagementPINProviderFactory.java

(limited to 'smcc/src/test/java')

diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java
index 91c91dcb..1e23c64c 100644
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIFacade.java
@@ -16,7 +16,7 @@
  */
 package at.gv.egiz.bku.gui;
 
-import at.gv.egiz.stal.HashDataInput;
+  import at.gv.egiz.stal.HashDataInput;
 import at.gv.egiz.smcc.PINSpec;
 import java.awt.Color;
 import java.awt.event.ActionListener;
@@ -53,14 +53,15 @@ public interface BKUGUIFacade {
   public static final String TITLE_WELCOME = "title.welcome";
   public static final String TITLE_INSERTCARD = "title.insertcard";
   public static final String TITLE_CARD_NOT_SUPPORTED = "title.cardnotsupported";
-  public static final String TITLE_CARDPIN = "title.cardpin";
+  public static final String TITLE_VERIFY_PIN = "title.verify.pin";
   public static final String TITLE_SIGN = "title.sign";
+  public static final String TITLE_VERIFY_PINPAD = "title.verify.pinpad";
   public static final String TITLE_ERROR = "title.error";
   public static final String TITLE_WARNING = "title.warning";
   public static final String TITLE_ENTRY_TIMEOUT = "title.entry.timeout";
   public static final String TITLE_RETRY = "title.retry";
   public static final String TITLE_WAIT = "title.wait";
-  public static final String TITLE_HASHDATA = "title.hashdata";
+  public static final String TITLE_SIGNATURE_DATA = "title.signature.data";
   public static final String WINDOWTITLE_SAVE = "windowtitle.save";
   public static final String WINDOWTITLE_ERROR = "windowtitle.error";
   public static final String WINDOWTITLE_SAVEDIR = "windowtitle.savedir";
@@ -75,6 +76,7 @@ public interface BKUGUIFacade {
   public static final String MESSAGE_CARD_NOT_SUPPORTED = "cardnotsupported";
   public static final String MESSAGE_ENTERPIN = "enterpin";
   public static final String MESSAGE_ENTERPIN_PINPAD = "enterpin.pinpad";
+  public static final String MESSAGE_ENTERPIN_PINPAD_DIRECT = "enterpin.pinpad.direct";
   public static final String MESSAGE_HASHDATALINK = "hashdatalink";
   public static final String MESSAGE_HASHDATALINK_TINY = "hashdatalink.tiny";
   public static final String MESSAGE_HASHDATALINK_FOCUS = "hashdatalink.focus";
@@ -96,8 +98,9 @@ public interface BKUGUIFacade {
   public static final String HELP_WAIT = "help.wait";
   public static final String HELP_CARDNOTSUPPORTED = "help.cardnotsupported";
   public static final String HELP_INSERTCARD = "help.insertcard";
-  public static final String HELP_CARDPIN = "help.cardpin";
+  public static final String HELP_VERIFY_PIN = "help.cardpin";
   public static final String HELP_SIGNPIN = "help.signpin";
+  public static final String HELP_PINPAD = "help.pinpad";
   public static final String HELP_RETRY = "help.retry";
   public static final String HELP_HASHDATA = "help.hashdata";
   public static final String HELP_HASHDATALIST = "help.hashdatalist";
@@ -111,6 +114,18 @@ public interface BKUGUIFacade {
   public static final String SAVE_HASHDATAINPUT_PREFIX = "save.hashdatainput.prefix";
   public static final String ALT_HELP = "alt.help";
 
+  public void showEnterPINDirect(PINSpec spec, int retries);
+
+  public void showEnterPIN(PINSpec spec, int retries);
+
+  public void showSignatureDataDialog(PINSpec spec, ActionListener listener, String string, ActionListener aThis0, String string0, ActionListener aThis1, String string1);
+
+  public void correctionButtonPressed();
+
+  public void allKeysCleared();
+
+  public void validKeyPressed();
+
   public enum Style { tiny, simple, advanced };
     
   /**
@@ -119,7 +134,7 @@ public interface BKUGUIFacade {
    */
   public Locale getLocale();
 
-  public void showCardPINDialog(PINSpec pinSpec, int numRetries,
+  public void showVerifyPINDialog(PINSpec pinSpec, int numRetries,
           ActionListener okListener, String okCommand,
           ActionListener cancelListener, String cancelCommand);
 
@@ -128,9 +143,6 @@ public interface BKUGUIFacade {
           ActionListener cancelListener, String cancelCommand,
           ActionListener viewerListener, String viewerCommand);
 
-  public void showPinpadSignaturePINDialog(PINSpec pinSpec, int numRetries, 
-          ActionListener viewerListener, String viewerCommand);
-
   public char[] getPin();
 
   /**
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java
index baffb3fd..3fc631c3 100644
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/BKUGUIImpl.java
@@ -93,6 +93,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
     protected JLabel switchFocusDummyLabel; 
     /** remember the pinfield to return to worker */
     protected JPasswordField pinField;
+    protected JPasswordField pinpadPINField;
 
     protected int buttonSize;
     
@@ -360,221 +361,27 @@ public class BKUGUIImpl implements BKUGUIFacade {
       return messages.containsKey(key);
     }
 
-//    @Override
-//    public void showWelcomeDialog() {
-//
-//      log.debug("scheduling welcome dialog");
-//
-//        SwingUtilities.invokeLater(new Runnable() {
-//
-//            @Override
-//            public void run() {
-//
-//              log.debug("show welcome dialog");
-//
-//                mainPanel.removeAll();
-//                buttonPanel.removeAll();
-//
-//                helpListener.setHelpTopic(HELP_WELCOME);
-//
-//                JLabel welcomeMsgLabel = new JLabel();
-//                welcomeMsgLabel.setFont(welcomeMsgLabel.getFont().deriveFont(welcomeMsgLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
-//
-//                if (renderHeaderPanel) {
-//                  titleLabel.setText(getMessage(TITLE_WELCOME));
-//                  welcomeMsgLabel.setText(getMessage(MESSAGE_WAIT));
-//                } else {
-//                  welcomeMsgLabel.setText(getMessage(TITLE_WELCOME));
-//                }
-//
-//                GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
-//                mainPanel.setLayout(mainPanelLayout);
-//
-//                GroupLayout.SequentialGroup messageHorizontal = mainPanelLayout.createSequentialGroup()
-//                        .addComponent(welcomeMsgLabel);
-//                GroupLayout.Group messageVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
-//                        .addComponent(welcomeMsgLabel);
-//                if (!renderHeaderPanel) {
-//                  messageHorizontal
-//                          .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
-//                          .addComponent(helpLabel);
-//                  messageVertical
-//                          .addComponent(helpLabel);
-//                }
-//
-//                mainPanelLayout.setHorizontalGroup(messageHorizontal);
-//                mainPanelLayout.setVerticalGroup(messageVertical);
-//
-//                contentPanel.validate();
-//
-//            }
-//        });
-//    }
-
-//    @Override
-//    public void showInsertCardDialog(
-//            final ActionListener cancelListener, final String cancelCommand) {
-//
-//      log.debug("scheduling insert card dialog");
-//
-//      SwingUtilities.invokeLater(new Runnable() {
-//
-//            @Override
-//            public void run() {
-//
-//              log.debug("show insert card dialog");
-//
-//                mainPanel.removeAll();
-//                buttonPanel.removeAll();
-//
-//                if (renderHeaderPanel) {
-//                  titleLabel.setText(getMessage(TITLE_INSERTCARD));
-//                }
-//
-//                helpListener.setHelpTopic(HELP_INSERTCARD);
-//
-//                JLabel insertCardMsgLabel = new JLabel();
-//                insertCardMsgLabel.setFont(insertCardMsgLabel.getFont().deriveFont(insertCardMsgLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
-//                insertCardMsgLabel.setText(getMessage(MESSAGE_INSERTCARD));
-//
-//                GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
-//                mainPanel.setLayout(mainPanelLayout);
-//
-//                GroupLayout.SequentialGroup messageHorizontal = mainPanelLayout.createSequentialGroup()
-//                        .addComponent(insertCardMsgLabel);
-//                GroupLayout.ParallelGroup messageVertical = mainPanelLayout.createParallelGroup()
-//                        .addComponent(insertCardMsgLabel);
-//
-//                if (!renderHeaderPanel) {
-//                  messageHorizontal
-//                          .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
-//                          .addComponent(helpLabel);
-//                  messageVertical
-//                          .addComponent(helpLabel);
-//                }
-//
-//                mainPanelLayout.setHorizontalGroup(messageHorizontal);
-//                mainPanelLayout.setVerticalGroup(messageVertical);
-//
-//                if (renderCancelButton) {
-//                  JButton cancelButton = new JButton();
-//                  cancelButton.setFont(cancelButton.getFont().deriveFont(cancelButton.getFont().getStyle() & ~java.awt.Font.BOLD));
-//                  cancelButton.setText(getMessage(BUTTON_CANCEL));
-//                  cancelButton.addActionListener(cancelListener);
-//                  cancelButton.setActionCommand(cancelCommand);
-//
-//                  GroupLayout buttonPanelLayout = new GroupLayout(buttonPanel);
-//                  buttonPanel.setLayout(buttonPanelLayout);
-//
-//                  buttonPanelLayout.setHorizontalGroup(
-//                    buttonPanelLayout.createSequentialGroup()
-//                          .addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
-//                          .addComponent(cancelButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE));
-//                  buttonPanelLayout.setVerticalGroup(
-//                    buttonPanelLayout.createSequentialGroup()
-//                      .addComponent(cancelButton));
-//                }
-//
-//                contentPanel.validate();
-//            }
-//        });
-//    }
-
-    /**
-     * only difference to showInsertCard: title text: card not supported
-     * @param cancelListener
-     * @param cancelCommand
-     */
-//    @Override
-//    public void showCardNotSupportedDialog(final ActionListener cancelListener, final String cancelCommand) {
-//
-//      log.debug("scheduling card not supported dialog");
-//
-//      SwingUtilities.invokeLater(new Runnable() {
-//
-//            @Override
-//            public void run() {
-//
-//              log.debug("show card not supported dialog");
-//
-//              mainPanel.removeAll();
-//              buttonPanel.removeAll();
-//
-//              JLabel insertCardMsgLabel = new JLabel();
-//              insertCardMsgLabel.setFont(insertCardMsgLabel.getFont().deriveFont(insertCardMsgLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
-//
-//              if (renderHeaderPanel) {
-//                titleLabel.setText(getMessage(TITLE_CARD_NOT_SUPPORTED));
-//                insertCardMsgLabel.setText(getMessage(MESSAGE_INSERTCARD));
-//              } else {
-//                insertCardMsgLabel.setText(getMessage(TITLE_CARD_NOT_SUPPORTED));
-//              }
-//
-//              helpListener.setHelpTopic(HELP_CARDNOTSUPPORTED);
-//
-//              GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
-//              mainPanel.setLayout(mainPanelLayout);
-//
-//              GroupLayout.SequentialGroup messageHorizontal = mainPanelLayout.createSequentialGroup()
-//                      .addComponent(insertCardMsgLabel);
-//              GroupLayout.Group messageVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
-//                      .addComponent(insertCardMsgLabel);
-//              if (!renderHeaderPanel) {
-//                messageHorizontal
-//                        .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
-//                        .addComponent(helpLabel);
-//                messageVertical
-//                        .addComponent(helpLabel);
-//              }
-//
-//              mainPanelLayout.setHorizontalGroup(messageHorizontal);
-//              mainPanelLayout.setVerticalGroup(messageVertical);
-//
-//              if (renderCancelButton) {
-//                JButton cancelButton = new JButton();
-//                cancelButton.setFont(cancelButton.getFont().deriveFont(cancelButton.getFont().getStyle() & ~java.awt.Font.BOLD));
-//                cancelButton.setText(getMessage(BUTTON_CANCEL));
-//                cancelButton.addActionListener(cancelListener);
-//                cancelButton.setActionCommand(cancelCommand);
-//
-//                GroupLayout buttonPanelLayout = new GroupLayout(buttonPanel);
-//                buttonPanel.setLayout(buttonPanelLayout);
-//
-//                buttonPanelLayout.setHorizontalGroup(
-//                  buttonPanelLayout.createSequentialGroup()
-//                        .addContainerGap(GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
-//                        .addComponent(cancelButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE));
-//                buttonPanelLayout.setVerticalGroup(
-//                  buttonPanelLayout.createSequentialGroup()
-//                    .addComponent(cancelButton));
-//              }
-//
-//              contentPanel.validate();
-//            }
-//        });
-//    }
-
   @Override
-  public void showCardPINDialog(final PINSpec pinSpec, final int numRetries,
+  public void showVerifyPINDialog(final PINSpec pinSpec, final int numRetries,
           final ActionListener okListener, final String okCommand,
           final ActionListener cancelListener, final String cancelCommand) {
         
-      log.debug("scheduling card-pin dialog");
+      log.debug("scheduling verify pin dialog");
       
       SwingUtilities.invokeLater(new Runnable() {
 
             @Override
             public void run() {
 
-              log.debug("[" + Thread.currentThread().getName() + "] show card-pin dialog");
+              log.debug("[" + Thread.currentThread().getName() + "] show verify pin dialog");
       
                 mainPanel.removeAll();
                 buttonPanel.removeAll();
 
                 if (renderHeaderPanel) {
                   if (numRetries < 0) {
-                      String cardpinTitle = getMessage(TITLE_CARDPIN);
-                      titleLabel.setText(MessageFormat.format(cardpinTitle, new Object[]{pinSpec.getLocalizedName()}));
+                      String verifyTitle = getMessage(TITLE_VERIFY_PIN);
+                      titleLabel.setText(MessageFormat.format(verifyTitle, new Object[]{pinSpec.getLocalizedName()}));
                   } else {
                       titleLabel.setText(getMessage(TITLE_RETRY));
                   }
@@ -615,8 +422,8 @@ public class BKUGUIImpl implements BKUGUIFacade {
                   } else {
                     infoLabel.setText(MessageFormat.format(infoPattern, new Object[] {pinSpec.getLocalizedName()}));
                   }
-                  helpMouseListener.setHelpTopic(HELP_CARDPIN);
-                  helpKeyListener.setHelpTopic(HELP_CARDPIN);
+                  helpMouseListener.setHelpTopic(HELP_VERIFY_PIN);
+                  helpKeyListener.setHelpTopic(HELP_VERIFY_PIN);
                 } else {
                   String retryPattern;
                   if (numRetries < 2) {
@@ -732,194 +539,346 @@ public class BKUGUIImpl implements BKUGUIFacade {
         });
     }
 
-//    @Override
-//    public void showCardPINDialog(PINSpec pinSpec, ActionListener okListener, String okCommand, ActionListener cancelListener, String cancelCommand) {
-//        showCardPINDialog(pinSpec, -1, okListener, okCommand, cancelListener, cancelCommand);
-//    }
-//
-//    @Override
-//    public void showCardPINRetryDialog(PINSpec pinSpec, int numRetries, ActionListener okListener, String okCommand, ActionListener cancelListener, String cancelCommand) {
-//        showCardPINDialog(pinSpec, numRetries, okListener, okCommand, cancelListener, cancelCommand);
-//    }
+  @Override
+  public void showEnterPINDirect(PINSpec pinSpec, int retries) {
+    if (retries < 0) {
+      showMessageDialog(TITLE_VERIFY_PINPAD, MESSAGE_ENTERPIN_PINPAD_DIRECT, new Object[] {
+                  pinSpec.getLocalizedName(), pinSpec.getLocalizedLength() });
+    } else {
+      showMessageDialog(TITLE_RETRY, MESSAGE_RETRIES, new Object[]{String.valueOf(retries) });
+    }
+  }
 
-//    @Override
-//    public void showSignaturePINDialog(PINSpec pinSpec, ActionListener signListener, String signCommand, ActionListener cancelListener, String cancelCommand, ActionListener hashdataListener, String hashdataCommand) {
-//        showSignaturePINDialog(pinSpec, -1, signListener, signCommand, cancelListener, cancelCommand, hashdataListener, hashdataCommand);
-//    }
+  @Override
+  public void showEnterPIN(final PINSpec pinSpec, final int retries) {
+    showEnterPIN(pinSpec, retries, TITLE_VERIFY_PINPAD, MESSAGE_ENTERPIN_PINPAD, null);
+  }
 
-    @Override
-    public void showPinpadSignaturePINDialog(final PINSpec pinSpec, final int numRetries,
-//            final ActionListener cancelListener, final String cancelCommand,
-            final ActionListener hashdataListener, final String hashdataCommand) {
+  protected void showEnterPIN(final PINSpec pinSpec, final int retries, final String titleKey, final String messageKey, final Object[] messageParams) {
+    log.debug("scheduling pinpad dialog");
 
-        log.debug("scheduling pinpad signature-pin dialog");
+    SwingUtilities.invokeLater(new Runnable() {
 
-        SwingUtilities.invokeLater(new Runnable() {
+      @Override
+      public void run() {
 
-            @Override
-            public void run() {
+        log.debug("[" + Thread.currentThread().getName() + "] show pinpad dialog");
 
-              log.debug("[" + Thread.currentThread().getName() + "] show pinpad signature-pin dialog");
+        mainPanel.removeAll();
+        buttonPanel.removeAll();
 
-                mainPanel.removeAll();
-                buttonPanel.removeAll();
+        if (renderHeaderPanel) {
+          if (retries < 0) {
+              titleLabel.setText(getMessage(titleKey));
+          } else {
+              titleLabel.setText(getMessage(TITLE_RETRY));
+          }
+        }
 
-                if (renderHeaderPanel) {
-                  if (numRetries < 0) {
-                      titleLabel.setText(getMessage(TITLE_SIGN));
-                  } else {
-                      titleLabel.setText(getMessage(TITLE_RETRY));
-                  }
-                }
+        final JLabel infoLabel = new JLabel();
+        if (retries < 0) {
+          infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
+          infoLabel.setText(MessageFormat.format(getMessage(messageKey), messageParams));
+          helpMouseListener.setHelpTopic(HELP_PINPAD);
+          helpKeyListener.setHelpTopic(HELP_PINPAD);
+        } else {
+          String retryPattern;
+          if (retries == 1) {
+            retryPattern = getMessage(MESSAGE_LAST_RETRY);
+          } else {
+            retryPattern = getMessage(MESSAGE_RETRIES);
+          }
+          infoLabel.setText(MessageFormat.format(retryPattern, new Object[]{String.valueOf(retries)}));
+          infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() | java.awt.Font.BOLD));
+          infoLabel.setForeground(ERROR_COLOR);
+          helpMouseListener.setHelpTopic(HELP_RETRY);
+          helpKeyListener.setHelpTopic(HELP_RETRY);
+        }
+
+        JLabel pinLabel = new JLabel();
+        pinLabel.setFont(pinLabel.getFont().deriveFont(pinLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
+        String pinName = getMessage(LABEL_PIN);
+        pinLabel.setText(MessageFormat.format(pinName, new Object[]{pinSpec.getLocalizedName()}));
+
+        pinpadPINField = new JPasswordField();
+        pinpadPINField.setText("");
+        pinpadPINField.setEnabled(false);
+
+        JLabel pinsizeLabel = new JLabel();
+        pinsizeLabel.setFont(pinsizeLabel.getFont().deriveFont(pinsizeLabel.getFont().getStyle() & ~java.awt.Font.BOLD, pinsizeLabel.getFont().getSize()-2));
+        pinsizeLabel.setText(MessageFormat.format(getMessage(LABEL_PINSIZE), pinSpec.getLocalizedLength()));
+
+        GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
+        mainPanel.setLayout(mainPanelLayout);
+
+        GroupLayout.SequentialGroup infoHorizontal = mainPanelLayout.createSequentialGroup()
+                .addComponent(infoLabel);
+        GroupLayout.ParallelGroup infoVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
+                .addComponent(infoLabel);
+
+        if (!renderHeaderPanel) {
+          infoHorizontal
+                  .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
+                  .addComponent(switchFocusDummyLabel)
+                  .addComponent(helpLabel)
+                  ;
+          infoVertical
+                  .addComponent(switchFocusDummyLabel)
+                  .addComponent(helpLabel)
+                  ;
+        }
+
+        // align pinfield and pinsize to the right
+        GroupLayout.Group pinHorizontal = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.TRAILING);
+        GroupLayout.SequentialGroup pinVertical = mainPanelLayout.createSequentialGroup();
+
+        if (pinLabelPos == PinLabelPosition.ABOVE) {
+          pinHorizontal
+                  .addGroup(mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
+                    .addComponent(pinLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
+                    .addComponent(pinpadPINField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
+                  .addComponent(pinsizeLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE);
+          pinVertical
+                  .addComponent(pinLabel)
+                  .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+                  .addComponent(pinpadPINField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
+                  .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+                  .addComponent(pinsizeLabel);
+        } else { // PinLabelPosition.LEFT
+          pinHorizontal
+                  .addGroup(mainPanelLayout.createSequentialGroup()
+                    .addComponent(pinLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE)
+                    .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+                    .addComponent(pinpadPINField, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
+                  .addComponent(pinsizeLabel, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE);
+          pinVertical
+                  .addGroup(mainPanelLayout.createParallelGroup(GroupLayout.Alignment.BASELINE)
+                    .addComponent(pinLabel)
+                    .addComponent(pinpadPINField))
+                  .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+                  .addComponent(pinsizeLabel);
+        }
+
+        mainPanelLayout.setHorizontalGroup(
+          mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
+            .addGroup(infoHorizontal)
+            .addGroup(pinHorizontal));
+
+        mainPanelLayout.setVerticalGroup(
+          mainPanelLayout.createSequentialGroup()
+            .addGroup(infoVertical)
+            .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+            .addGroup(pinVertical));
+
+        contentPanel.validate();
+      }
+    });
+  }
+
+  @Override
+  public void showSignatureDataDialog(PINSpec spec,
+          final ActionListener enterPINListener, final String enterPINCommand,
+          final ActionListener cancelListener, final String cancelCommand,
+          final ActionListener hashdataListener, final String hashdataCommand) {
+
+    log.debug("scheduling signature-data dialog");
+
+    SwingUtilities.invokeLater(new Runnable() {
+
+        @Override
+        public void run() {
+
+          log.debug("[" + Thread.currentThread().getName() + "] show signature-data dialog");
+
+          mainPanel.removeAll();
+          buttonPanel.removeAll();
+
+          if (renderHeaderPanel) {
+            titleLabel.setText(getMessage(TITLE_SIGNATURE_DATA));
+          }
+
+          final JLabel infoLabel = new JLabel();
+          infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
+          if (shortText) {
+            infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY));
+          } else {
+            infoLabel.setText(getMessage(MESSAGE_HASHDATALINK));
+          }
+          infoLabel.setFocusable(true);
+          infoLabel.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
+          infoLabel.setForeground(HYPERLINK_COLOR);
+          infoLabel.addMouseListener(new MouseAdapter() {
+
+              @Override
+              public void mouseClicked(MouseEvent me) {
+                  ActionEvent e = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, hashdataCommand);
+                  hashdataListener.actionPerformed(e);
+              }
+          });
+
+          infoLabel.addKeyListener(new KeyAdapter() {
+
+             @Override
+             public void keyPressed(KeyEvent e) {
+
+                 if(e.getKeyCode() == KeyEvent.VK_ENTER) {
+                     ActionEvent e1 = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, hashdataCommand);
+                      hashdataListener.actionPerformed(e1);
+                 }
+             }
+
+           });
+
+          infoLabel.addFocusListener(new FocusAdapter() {
+
+              @Override
+              public void focusGained(FocusEvent e) {
 
-                final JLabel infoLabel = new JLabel();
-                if (numRetries < 0) {
-                  infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
                   if (shortText) {
-                    infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY));
-                  } else {
-                    infoLabel.setText(getMessage(MESSAGE_HASHDATALINK));
-                  }
-                  infoLabel.setFocusable(true);
-                  infoLabel.setCursor(Cursor.getPredefinedCursor(Cursor.HAND_CURSOR));
-                  infoLabel.setForeground(HYPERLINK_COLOR);
-                  infoLabel.addMouseListener(new MouseAdapter() {
+                      infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY_FOCUS));
+                    } else {
+                      infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_FOCUS));
+                    }
+              }
 
-                      @Override
-                      public void mouseClicked(MouseEvent me) {
-                          ActionEvent e = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, hashdataCommand);
-                          hashdataListener.actionPerformed(e);
-                      }
-                  });
-                  
-                  infoLabel.addKeyListener(new KeyAdapter() {
-                	  
-                 	 @Override
-                 	 public void keyPressed(KeyEvent e) {
-                 		 
-                 		 if(e.getKeyCode() == KeyEvent.VK_ENTER) {                			 
-                 			 ActionEvent e1 = new ActionEvent(this, ActionEvent.ACTION_PERFORMED, hashdataCommand);
-                              hashdataListener.actionPerformed(e1);
-                 		 }
-                 	 }
-                 	  
-                   });  
-                  
-                  infoLabel.addFocusListener(new FocusAdapter() {
-                	  
-                	  @Override
-                	  public void focusGained(FocusEvent e) {
-                		  
-                          if (shortText) {
-                              infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY_FOCUS));
-                            } else {
-                              infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_FOCUS));
-                            }
-                	  }
-                	  
-                	  @Override
-                	  public void focusLost(FocusEvent e) {
-                		  
-                          if (shortText) {
-                              infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY));
-                            } else {
-                              infoLabel.setText(getMessage(MESSAGE_HASHDATALINK));
-                            }
-                		  
-                	  }                	  
-                	  
-                  });                  
-                  
-                  helpMouseListener.setHelpTopic(HELP_SIGNPIN);
-                  helpKeyListener.setHelpTopic(HELP_SIGNPIN);
-                } else {
-                  String retryPattern;
-                  if (numRetries < 2) {
-                    retryPattern = getMessage(MESSAGE_LAST_RETRY);
-                  } else {
-                    retryPattern = getMessage(MESSAGE_RETRIES);
-                  }
-                  infoLabel.setFocusable(true);
-                  infoLabel.setText(MessageFormat.format(retryPattern, new Object[]{String.valueOf(numRetries)}));
-                  infoLabel.setFont(infoLabel.getFont().deriveFont(infoLabel.getFont().getStyle() | java.awt.Font.BOLD));
-                  infoLabel.setForeground(ERROR_COLOR);
-                  helpMouseListener.setHelpTopic(HELP_RETRY);
-                  helpKeyListener.setHelpTopic(HELP_RETRY);
-                }
+              @Override
+              public void focusLost(FocusEvent e) {
 
-                String msgPattern = getMessage(MESSAGE_ENTERPIN_PINPAD);
-                String msg = MessageFormat.format(msgPattern, new Object[] {
-                  pinSpec.getLocalizedName(), pinSpec.getLocalizedLength() });
+                  if (shortText) {
+                      infoLabel.setText(getMessage(MESSAGE_HASHDATALINK_TINY));
+                    } else {
+                      infoLabel.setText(getMessage(MESSAGE_HASHDATALINK));
+                    }
 
-                JLabel msgLabel = new JLabel();
-                msgLabel.setFont(msgLabel.getFont().deriveFont(msgLabel.getFont().getStyle() & ~Font.BOLD));
-                msgLabel.setText(msg);
+              }
 
-                GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
-                mainPanel.setLayout(mainPanelLayout);
+          });
 
-                GroupLayout.SequentialGroup infoHorizontal = mainPanelLayout.createSequentialGroup()
-                        .addComponent(infoLabel);
-                GroupLayout.ParallelGroup infoVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
-                        .addComponent(infoLabel);
+          helpMouseListener.setHelpTopic(HELP_SIGNPIN);
+          helpKeyListener.setHelpTopic(HELP_SIGNPIN);
 
-                if (!renderHeaderPanel) {
-                  infoHorizontal
-                          .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
-                          .addComponent(switchFocusDummyLabel)
-                          .addComponent(helpLabel)
-                          ;
-                  infoVertical
-                          .addComponent(switchFocusDummyLabel)
-                          .addComponent(helpLabel)
-                          ;
-                }
+          //TODO message panel
 
-                mainPanelLayout.setHorizontalGroup(
-                  mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
-                    .addGroup(infoHorizontal)
-                    .addComponent(msgLabel));
+//              String msgPattern = getMessage(MESSAGE_ENTERPIN_PINPAD);
+//              String msg = MessageFormat.format(msgPattern, new Object[] {
+//                pinSpec.getLocalizedName(), pinSpec.getLocalizedLength() });
+//
+//              JLabel msgLabel = new JLabel();
+//              msgLabel.setFont(msgLabel.getFont().deriveFont(msgLabel.getFont().getStyle() & ~Font.BOLD));
+//              msgLabel.setText(msg);
 
-                mainPanelLayout.setVerticalGroup(
-                  mainPanelLayout.createSequentialGroup()
-                    .addGroup(infoVertical)
+          GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
+          mainPanel.setLayout(mainPanelLayout);
+
+          GroupLayout.SequentialGroup infoHorizontal = mainPanelLayout.createSequentialGroup()
+                  .addComponent(infoLabel);
+          GroupLayout.ParallelGroup infoVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
+                  .addComponent(infoLabel);
+
+          if (!renderHeaderPanel) {
+            infoHorizontal
+                    .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
+                    .addComponent(switchFocusDummyLabel)
+                    .addComponent(helpLabel)
+                    ;
+            infoVertical
+                    .addComponent(switchFocusDummyLabel)
+                    .addComponent(helpLabel)
+                    ;
+          }
+
+          mainPanelLayout.setHorizontalGroup(
+                  infoHorizontal);
+//              mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
+//                .addGroup(infoHorizontal)
+//                .addComponent(msgLabel));
+
+          mainPanelLayout.setVerticalGroup(
+                  infoVertical);
+//              mainPanelLayout.createSequentialGroup()
+//                .addGroup(infoVertical)
+//                .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
+//                .addComponent(msgLabel));
+
+
+          GroupLayout buttonPanelLayout = new GroupLayout(buttonPanel);
+          buttonPanel.setLayout(buttonPanelLayout);
+
+          GroupLayout.SequentialGroup buttonHorizontal = buttonPanelLayout.createSequentialGroup();
+          GroupLayout.Group buttonVertical;
+
+          JButton enterPINButton = new JButton();
+          enterPINButton.setFont(enterPINButton.getFont().deriveFont(enterPINButton.getFont().getStyle() & ~java.awt.Font.BOLD));
+          enterPINButton.setText(getMessage(BUTTON_SIGN));
+          enterPINButton.setActionCommand(enterPINCommand);
+          enterPINButton.addActionListener(enterPINListener);
+
+          if (renderCancelButton) {
+            JButton cancelButton = new JButton();
+            cancelButton.setFont(cancelButton.getFont().deriveFont(cancelButton.getFont().getStyle() & ~java.awt.Font.BOLD));
+            cancelButton.setText(getMessage(BUTTON_CANCEL));
+            cancelButton.setActionCommand(cancelCommand);
+            cancelButton.addActionListener(cancelListener);
+
+            buttonHorizontal
+                    .addComponent(enterPINButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE)
                     .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED)
-                    .addComponent(msgLabel));
-
-                //no cancel button (cancel via pinpad)
-//                if (renderCancelButton) {
-//                    JButton cancelButton = new JButton();
-//                    cancelButton.setFont(cancelButton.getFont().deriveFont(cancelButton.getFont().getStyle() & ~java.awt.Font.BOLD));
-//                    cancelButton.setText(getMessage(BUTTON_CANCEL));
-//                    cancelButton.setActionCommand(cancelCommand);
-//                    cancelButton.addActionListener(cancelListener);
-//
-//                    GroupLayout buttonPanelLayout = new GroupLayout(buttonPanel);
-//                    buttonPanel.setLayout(buttonPanelLayout);
-//
-//                    GroupLayout.SequentialGroup buttonHorizontal = buttonPanelLayout.createSequentialGroup()
-//                            .addComponent(cancelButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE);
-//                    GroupLayout.SequentialGroup buttonVertical = buttonPanelLayout.createSequentialGroup()
-//                            .addComponent(cancelButton);
-//
-//                    buttonPanelLayout.setHorizontalGroup(buttonHorizontal);
-//                    buttonPanelLayout.setVerticalGroup(buttonVertical);
-//                }
+                    .addComponent(cancelButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE)
+                    ;
+            buttonVertical = buttonPanelLayout.createParallelGroup(GroupLayout.Alignment.BASELINE)
+                    .addComponent(enterPINButton)
+                    .addComponent(cancelButton)
+                    ;
+          } else {
+            buttonHorizontal
+                    .addComponent(enterPINButton, GroupLayout.PREFERRED_SIZE, buttonSize, GroupLayout.PREFERRED_SIZE)
+                    ;
+            buttonVertical = buttonPanelLayout.createSequentialGroup()
+                    .addComponent(enterPINButton)
+                    ;
+          }
 
-                contentPanel.validate();
-            }
-        });
+          buttonPanelLayout.setHorizontalGroup(buttonHorizontal);
+          buttonPanelLayout.setVerticalGroup(buttonVertical);
+
+          contentPanel.validate();
+        }
+    });
+  }
+
+  @Override
+  public void correctionButtonPressed() {
+    log.debug("[" + Thread.currentThread().getName() + "] correction button pressed");
+
+    if (pinpadPINField != null) {
+      String maskedPIN = pinpadPINField.getText();
+      pinpadPINField.setText(maskedPIN.substring(0, maskedPIN.length() - 1));
+    }
+  }
+
+  @Override
+  public void allKeysCleared() {
+    log.debug("[" + Thread.currentThread().getName() + "] all keys cleared");
+
+    if (pinpadPINField != null) {
+      pinpadPINField.setText("");
+    }
+  }
+
+  @Override
+  public void validKeyPressed() {
+    log.debug("[" + Thread.currentThread().getName() + "] valid key pressed");
+
+    if (pinpadPINField != null) {
+      pinpadPINField.setText(pinpadPINField.getText() + '*');
     }
+  }
 
     @Override
     public void showSignaturePINDialog(final PINSpec pinSpec, final int numRetries,
             final ActionListener signListener, final String signCommand,
             final ActionListener cancelListener, final String cancelCommand,
             final ActionListener hashdataListener, final String hashdataCommand) {
-//        showSignaturePINDialog(pinSpec, numRetries, okListener, okCommand, cancelListener, cancelCommand, hashdataListener, hashdataCommand);
-//    }
-//
-//    private void showSignaturePINDialog(final PINSpec pinSpec, final int numRetries, final ActionListener signListener, final String signCommand, final ActionListener cancelListener, final String cancelCommand, final ActionListener hashdataListener, final String hashdataCommand) {
 
       log.debug("scheduling signature-pin dialog");
       
@@ -1302,57 +1261,6 @@ public class BKUGUIImpl implements BKUGUIFacade {
         });
     }
 
-//    @Override
-//    public void showWaitDialog(final String waitMessage) {
-//
-//      log.debug("scheduling wait dialog");
-//
-//      SwingUtilities.invokeLater(new Runnable() {
-//
-//            @Override
-//            public void run() {
-//
-//              log.debug("show wait dialog");
-//
-//                mainPanel.removeAll();
-//                buttonPanel.removeAll();
-//
-//                if (renderHeaderPanel) {
-//                  titleLabel.setText(getMessage(TITLE_WAIT));
-//                }
-//
-//                helpListener.setHelpTopic(HELP_WAIT);
-//
-//                JLabel waitMsgLabel = new JLabel();
-//                waitMsgLabel.setFont(waitMsgLabel.getFont().deriveFont(waitMsgLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
-//                if (waitMessage != null) {
-//                    waitMsgLabel.setText("<html>" + waitMessage + "</html>");
-//                } else {
-//                    waitMsgLabel.setText(getMessage(MESSAGE_WAIT));
-//                }
-//
-//                GroupLayout mainPanelLayout = new GroupLayout(mainPanel);
-//                mainPanel.setLayout(mainPanelLayout);
-//
-//                GroupLayout.SequentialGroup messageHorizontal = mainPanelLayout.createSequentialGroup()
-//                        .addComponent(waitMsgLabel);
-//                GroupLayout.ParallelGroup messageVertical = mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
-//                        .addComponent(waitMsgLabel);
-//
-//                if (!renderHeaderPanel) {
-//                  messageHorizontal
-//                          .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED, 0, Short.MAX_VALUE)
-//                          .addComponent(helpLabel);
-//                  messageVertical
-//                          .addComponent(helpLabel);
-//                }
-//                mainPanelLayout.setHorizontalGroup(messageHorizontal);
-//                mainPanelLayout.setVerticalGroup(messageVertical);
-//
-//                contentPanel.validate();
-//            }
-//        });
-//    }
 
     @Override
     public char[] getPin() {
@@ -1395,7 +1303,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
               @Override
               public void run() {
                 try {
-                  showMessageDialog(TITLE_HASHDATA, MESSAGE_HASHDATA_VIEWER);
+                  showMessageDialog(TITLE_SIGNATURE_DATA, MESSAGE_HASHDATA_VIEWER);
                   showSecureViewer(dataToBeSigned.get(0), backListener, backCommand);
                 } catch (FontProviderException ex) {
                   log.error("failed to display secure viewer", ex);
@@ -1411,7 +1319,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
           }
         } else {
           log.debug("[" + Thread.currentThread().getName() + "] mime-type not supported by secure viewer, scheduling save dialog");
-          showMessageDialog(TITLE_HASHDATA, MESSAGE_UNSUPPORTED_MIMETYPE);
+          showMessageDialog(TITLE_SIGNATURE_DATA, MESSAGE_UNSUPPORTED_MIMETYPE);
           SecureViewerSaveDialog.showSaveDialog(dataToBeSigned.get(0), messages, backListener, backCommand); 
         }
       } else {
@@ -1421,28 +1329,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
     
     /**
      * has to be called from event dispatcher thread
-     * @param hashDataText
-     * @param saveListener
-     * @param saveCommand
      */
-//    private void showSecureViewer(HashDataInput dataToBeSigned) throws FontProviderException {
-//      
-//      log.debug("[" + Thread.currentThread().getName() + "] show secure viewer");
-//      if (secureViewer == null) {
-//        secureViewer = new SecureViewerDialog(null, messages,
-//                fontProvider, helpMouseListener.getActionListener());
-//
-//        // workaround for [#439]
-//        // avoid AlwaysOnTop at least in applet, otherwise make secureViewer AlwaysOnTop since MOCCA Dialog (JFrame created in LocalSTALFactory) is always on top.
-//        Window window = SwingUtilities.getWindowAncestor(contentPane);
-//        if (window != null && window.isAlwaysOnTop()) {
-//          log.debug("make secureViewer alwaysOnTop");
-//          secureViewer.setAlwaysOnTop(true);
-//        }
-//      }
-//      secureViewer.setContent(dataToBeSigned);
-//      log.trace("show secure viewer returned");
-//    }
     private void showSecureViewer(HashDataInput dataToBeSigned, ActionListener closeListener, String closeCommand) throws FontProviderException {
       
       log.debug("[" + Thread.currentThread().getName() + "] show secure viewer");
@@ -1479,7 +1366,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
           buttonPanel.removeAll();
 
           if (renderHeaderPanel) {
-            titleLabel.setText(getMessage(TITLE_HASHDATA));
+            titleLabel.setText(getMessage(TITLE_SIGNATURE_DATA));
           }
           
           helpMouseListener.setHelpTopic(HELP_HASHDATALIST);
@@ -1613,7 +1500,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
               @Override
               public void run() {
                 try {
-                  showMessageDialog(TITLE_HASHDATA, MESSAGE_HASHDATA_VIEWER);
+                  showMessageDialog(TITLE_SIGNATURE_DATA, MESSAGE_HASHDATA_VIEWER);
                   showSecureViewer(selection, backToListListener, null);
 //                  SecureViewerDialog.showSecureViewer(selection, messages, fontProvider, helpMouseListener.getActionListener(), false);
                 } catch (FontProviderException ex) {
@@ -1625,7 +1512,7 @@ public class BKUGUIImpl implements BKUGUIFacade {
             });
           } else {
             log.debug("[" + Thread.currentThread().getName() + "] mime-type not supported by secure viewer, scheduling save dialog");
-            showMessageDialog(BKUGUIFacade.TITLE_HASHDATA, BKUGUIFacade.MESSAGE_UNSUPPORTED_MIMETYPE);
+            showMessageDialog(BKUGUIFacade.TITLE_SIGNATURE_DATA, BKUGUIFacade.MESSAGE_UNSUPPORTED_MIMETYPE);
             SecureViewerSaveDialog.showSaveDialog(selection, messages, backToListListener, null);
           }
         }
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/PinDocument.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/PinDocument.java
index 96032dc1..52a3d5fe 100644
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/PinDocument.java
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/PinDocument.java
@@ -1,19 +1,19 @@
 /*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package at.gv.egiz.bku.gui;
 
 import java.util.regex.Matcher;
@@ -21,7 +21,6 @@ import java.util.regex.Pattern;
 import javax.swing.JButton;
 import javax.swing.text.AttributeSet;
 import javax.swing.text.BadLocationException;
-import javax.swing.text.Document;
 import javax.swing.text.PlainDocument;
 
 /**
@@ -31,16 +30,15 @@ import javax.swing.text.PlainDocument;
 class PINDocument extends PlainDocument {
 
   private static final long serialVersionUID = 1L;
-  
   protected Pattern pinPattern;
   protected int minLength;
   protected int maxLength;
-
   protected JButton enterButton;
-  protected Document compareTo;
-  protected Document oldPin;        
 
   public PINDocument(int minLength, int maxLength, String pattern, JButton enterButton) {
+    if (enterButton == null) {
+      throw new NullPointerException("OK button null");
+    }
     if (pattern != null) {
       pinPattern = Pattern.compile(pattern);
     } else {
@@ -51,73 +49,26 @@ class PINDocument extends PlainDocument {
     this.enterButton = enterButton;
   }
 
-  /**
-   * @param pinSpec
-   * @param enterButton
-   * @param compareTo
-   *          enable enterButton if this pinDocument's pin equals to
-   *          compareTo's pin. may be null
-   */
-  public PINDocument(int minLength, int maxLength, String pattern, JButton enterButton, Document compareTo) {
-    this(minLength, maxLength, pattern, enterButton);
-    this.compareTo = compareTo;
+  @Override
+  public void insertString(int offs, String str, AttributeSet a) throws BadLocationException {
+    if (maxLength < 0 || maxLength >= (getLength() + str.length())) {
+      boolean matches = true;
+      for (int i = 0; i < str.length(); i++) {
+        Matcher m = pinPattern.matcher(str.substring(i, i + 1));
+        if (!m.matches()) {
+          matches = false;
+        }
+      }
+      if (matches) {
+        super.insertString(offs, str, a);
+        enterButton.setEnabled(getLength() >= minLength);
+      }
+    }
   }
 
-  /**
-   * @param pinSpec
-   * @param enterButton
-   *          may be null
-   * @param compareTo
-   *          enable enterButton if this pinDocument's pin equals to
-   *          compareTo's pin. may be null
-   * @param oldPin
-   *          enable enterButton if oldPin meets the pinSpec pin length
-   *          requirements, may be null
-   */
-  public PINDocument(int minLength, int maxLength, String pattern,
-      JButton enterButton, Document compareTo, Document oldPin) {
-    this(minLength, maxLength, pattern, enterButton);
-    this.compareTo = compareTo;
-    this.oldPin = oldPin;
+  @Override
+  public void remove(int offs, int len) throws BadLocationException {
+    super.remove(offs, len);
+    enterButton.setEnabled(getLength() >= minLength);
   }
-
-        @Override
-        public void insertString(int offs, String str, AttributeSet a) throws BadLocationException {
-            if (maxLength < 0 || maxLength >= (getLength() + str.length())) {
-                boolean matches = true;
-                for (int i = 0; i < str.length(); i++) {
-                    Matcher m = pinPattern.matcher(str.substring(i, i + 1));
-                    if (!m.matches()) {
-                        matches = false;
-                    }
-                }
-                if (matches) {
-                    super.insertString(offs, str, a);
-                }
-            }
-            if (enterButton != null) {
-              enterButton.setEnabled(
-                      (oldPin == null || oldPin.getLength() >= minLength) &&
-                      getLength() >= minLength &&
-                      compare());
-            }
-        }
-
-        @Override
-        public void remove(int offs, int len) throws BadLocationException {
-            super.remove(offs, len);
-            if (enterButton != null) {
-              enterButton.setEnabled(
-                      (oldPin == null || oldPin.getLength() >= minLength) &&
-                      getLength() >= minLength &&
-                      compare());
-            }
-        }
-
-        private boolean compare() throws BadLocationException {
-          if (compareTo == null) {
-            return true;
-          }
-          return compareTo.getText(0, compareTo.getLength()).equals(getText(0, getLength()));
-        }
-    }
\ No newline at end of file
+}
diff --git a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/SecureViewerDialog.java b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/SecureViewerDialog.java
index 7bae4673..7db70c46 100644
--- a/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/SecureViewerDialog.java
+++ b/BKUCommonGUI/src/main/java/at/gv/egiz/bku/gui/SecureViewerDialog.java
@@ -17,7 +17,6 @@
 package at.gv.egiz.bku.gui;
 
 import at.gv.egiz.bku.gui.viewer.FontProvider;
-import at.gv.egiz.bku.gui.viewer.FontProviderException;
 import at.gv.egiz.bku.gui.viewer.SecureViewerSaveDialog;
 import at.gv.egiz.stal.HashDataInput;
 import java.awt.Container;
@@ -25,7 +24,6 @@ import java.awt.Cursor;
 import java.awt.Dimension;
 import java.awt.Font;
 import java.awt.Frame;
-import java.awt.Window;
 import java.awt.event.ActionEvent;
 import java.awt.event.ActionListener;
 import java.awt.event.FocusAdapter;
@@ -34,32 +32,26 @@ import java.awt.event.KeyAdapter;
 import java.awt.event.KeyEvent;
 import java.awt.event.MouseAdapter;
 import java.awt.event.MouseEvent;
-import java.io.BufferedOutputStream;
+import java.awt.event.WindowAdapter;
+import java.awt.event.WindowEvent;
 import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
 import java.nio.charset.Charset;
 import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Locale;
 import java.util.ResourceBundle;
 import javax.swing.GroupLayout;
 import javax.swing.ImageIcon;
 import javax.swing.JButton;
 import javax.swing.JDialog;
 import javax.swing.JEditorPane;
-import javax.swing.JFileChooser;
 import javax.swing.JLabel;
-import javax.swing.JOptionPane;
 import javax.swing.JPanel;
 import javax.swing.JScrollPane;
 import javax.swing.LayoutStyle;
-import javax.swing.SwingUtilities;
+import javax.swing.WindowConstants;
 import javax.swing.text.Document;
 import javax.swing.text.EditorKit;
 import javax.swing.text.StyledEditorKit;
@@ -71,7 +63,7 @@ import org.apache.commons.logging.LogFactory;
  *
  * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
  */
-public class SecureViewerDialog extends JDialog implements ActionListener {
+public class SecureViewerDialog extends JDialog {
 
   /** don't import BKUFonts in order not to load BKUFonts.jar
    * BKUApplet includes BKUFonts as runtime dependency only, the jar is copied to the applet dir in BKUOnline with dependency-plugin
@@ -100,19 +92,6 @@ public class SecureViewerDialog extends JDialog implements ActionListener {
    * @param owner, dialog is positioned relative to its owner
    * (if null, at default location of native windowing system)
    */
-//  public static void showDataToBeSigned(HashDataInput dataToBeSigned,
-//          ResourceBundle messages,
-//          ActionListener saveListener, String saveCommand,
-//          ActionListener helpListener) {
-//
-////      Frame ownerFrame = (owner != null) ?
-////        JOptionPane.getFrameForComponent(owner) :
-////        null;
-//    dialog = new SecureViewerDialog(null, messages,
-//            saveListener, saveCommand, helpListener);
-//    dialog.setContent(dataToBeSigned);
-//    dialog.setVisible(true);
-//  }
   public SecureViewerDialog(Frame owner, ResourceBundle messages,
           ActionListener closeListener, String closeCommand,
           FontProvider fontProvider, ActionListener helpListener) {
@@ -125,6 +104,10 @@ public class SecureViewerDialog extends JDialog implements ActionListener {
             createViewerPanel(helpListener),
             createButtonPanel(closeListener, closeCommand));
 
+    // also leave defaultWindowClosing HIDE_ON_CLOSE
+    this.addWindowListener(new WindowCloseListener(closeListener, closeCommand));
+    this.setDefaultCloseOperation(WindowConstants.DO_NOTHING_ON_CLOSE);
+
     pack();
     if (owner != null) {
       setLocationRelativeTo(owner);
@@ -305,19 +288,11 @@ public class SecureViewerDialog extends JDialog implements ActionListener {
     JButton closeButton = new JButton();
     closeButton.setText(messages.getString(BKUGUIFacade.BUTTON_CLOSE));
     closeButton.setActionCommand(closeCommand);
-    closeButton.addActionListener(closeListener);
-    closeButton.addActionListener(new ActionListener() {
-      @Override
-      public void actionPerformed(ActionEvent e) {
-        log.trace("[" + Thread.currentThread().getName() + "] closing secure viewer");
-        setVisible(false);
-      }
-    });
+    closeButton.addActionListener(new CloseButtonListener(closeListener));
 
     JButton saveButton = new JButton();
     saveButton.setText(messages.getString(BKUGUIFacade.BUTTON_SAVE));
-    saveButton.setActionCommand("save"); //TODO ensure unequal to closeCommand 
-    saveButton.addActionListener(this);
+    saveButton.addActionListener(new SaveButtonListener());
 
     int buttonSize = closeButton.getPreferredSize().width;
     if (saveButton.getPreferredSize().width > buttonSize) {
@@ -336,39 +311,50 @@ public class SecureViewerDialog extends JDialog implements ActionListener {
     return buttonPanel;
   }
 
-  @Override
-  public void actionPerformed(ActionEvent e) {
-    if ("save".equals(e.getActionCommand())) {
+  public class WindowCloseListener extends WindowAdapter {
+
+    ActionListener closeListener;
+    String closeCommand;
+
+    public WindowCloseListener(ActionListener closeListener, String closeCommand) {
+      this.closeListener = closeListener;
+      this.closeCommand = closeCommand;
+    }
+
+    @Override
+    public void windowClosing(WindowEvent e) {
+      log.trace("[" + Thread.currentThread().getName() + "] closing secure viewer");
+      setVisible(false);
+      if (closeListener != null) {
+        closeListener.actionPerformed(new ActionEvent(e.getSource(), e.getID(), closeCommand));
+      }
+    }
+  }
+
+  public class CloseButtonListener implements ActionListener {
+
+    ActionListener closeListener;
+
+    public CloseButtonListener(ActionListener closeListener) {
+      this.closeListener = closeListener;
+    }
+
+    @Override
+    public void actionPerformed(ActionEvent e) {
+      log.trace("[" + Thread.currentThread().getName() + "] closing secure viewer");
+      setVisible(false);
+      if (closeListener != null) {
+        closeListener.actionPerformed(e);
+    }
+    }
+  }
+
+  public class SaveButtonListener implements ActionListener {
+
+    @Override
+    public void actionPerformed(ActionEvent e) {
       log.trace("[" + Thread.currentThread().getName() + "] display secure viewer save dialog");
       SecureViewerSaveDialog.showSaveDialog(content, messages, null, null);
-      log.trace("done secure viewer save");
-    } else {
-      log.warn("unknown action command " + e.getActionCommand());
     }
   }
-  
-  
-//  //TEST
-//  private static SecureViewerDialog secureViewer;
-//  public static void showSecureViewerXXX(HashDataInput dataToBeSigned, ResourceBundle messages, FontProvider fontProvider, ActionListener helpListener, boolean alwaysOnTop) throws FontProviderException {
-//    
-////    ResourceBundle messages = ResourceBundle.getBundle(BKUGUIFacade.MESSAGES_BUNDLE, locale);
-//    
-//    log.debug("[" + Thread.currentThread().getName() + "] show secure viewer");
-//    if (secureViewer == null) {
-//      secureViewer = new SecureViewerDialog(null, messages,
-//              fontProvider, helpListener); 
-//
-//      // workaround for [#439]
-//      // avoid AlwaysOnTop at least in applet, otherwise make secureViewer AlwaysOnTop since MOCCA Dialog (JFrame created in LocalSTALFactory) is always on top.
-////      Window window = SwingUtilities.getWindowAncestor(contentPane);
-////      if (window != null && window.isAlwaysOnTop()) {
-////        log.debug("make secureViewer alwaysOnTop");
-//        secureViewer.setAlwaysOnTop(alwaysOnTop);
-////      }
-//    }
-//    secureViewer.setContent(dataToBeSigned);
-//    log.trace("show secure viewer returned");
-//  }
-
 }
diff --git a/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages.properties b/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages.properties
index 3e483fc8..c09433de 100644
--- a/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages.properties
+++ b/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages.properties
@@ -16,15 +16,15 @@
 title.welcome=<html>Willkommen</html>
 title.insertcard=<html>Keine B\u00FCrgerkarte gefunden</html>
 title.cardnotsupported=<html>Die Karte wird nicht unterst\u00FCtzt</html>
-#title.cardpin=<html>{0} eingeben</html>
-title.cardpin=<html>Karte wird gelesen</html>
+title.verify.pin=<html>Karte wird gelesen</html>
 title.sign=<html>Signatur erstellen</html>
+title.verify.pinpad=<html>PIN eingeben
 title.error=<html>Fehler</html>
 title.warning=<html>Achtung
 title.entry.timeout=<html>Zeit\u00FCberschreitung</html>
 title.retry=<html>Falsche PIN</html>
 title.wait=<html>Bitte warten</html>
-title.hashdata=<html>Signaturdaten</html>
+title.signature.data=<html>Signaturdaten</html>
 windowtitle.save=Signaturdaten speichern
 windowtitle.error=Fehler
 windowtitle.savedir=Signaturdaten in Verzeichnis speichern
@@ -38,7 +38,8 @@ wait=<html>Bitte warten...</html>
 cardnotsupported=<html>Bitte die B\u00FCrgerkarte in den Kartenleser stecken</html>
 insertcard=<html>Bitte die B\u00FCrgerkarte in den Kartenleser stecken</html>
 enterpin=<html>{0} eingeben</html>
-enterpin.pinpad=<html>{0} ({1} stellig) am Kartenleser eingeben</html>
+enterpin.pinpad=<html>PIN am Kartenleser eingeben</html>
+enterpin.pinpad.direct=<html>{0} ({1} stellig) am Kartenleser eingeben</html>
 hashdatalink=<html><a href=\"anzeige\">Signaturdaten anzeigen</a></html>
 hashdatalink.tiny=<html><a href=\"anzeige\">Signaturdaten</a></html>
 hashdatalink.focus=<html><a href=\"anzeige\">[Signaturdaten anzeigen]</a></html>
diff --git a/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages_en.properties b/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages_en.properties
index c553bcb5..4d86d21b 100644
--- a/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages_en.properties
+++ b/BKUCommonGUI/src/main/resources/at/gv/egiz/bku/gui/Messages_en.properties
@@ -16,15 +16,15 @@
 title.welcome=<html>Welcome</html>
 title.insertcard=<html>No citizen card found</html>
 title.cardnotsupported=<html>This card is not supported</html>
-#title.cardpin=<html>Enter {0}</html>
-title.cardpin=<html>Reading card</html>
+title.verify.pin=<html>Reading card</html>
 title.sign=<html>Create signature</html>
+title.verify.pinpad=<html>Enter PIN
 title.error=<html>Error</html>
 title.warning=<html>Warning
 title.entry.timeout=<html>Timeout</html>
 title.retry=<html>Wrong PIN</html>
 title.wait=<html>Please wait</html>
-title.hashdata=<html>Signature data</html>
+title.signature.data=<html>Signature data</html>
 windowtitle.save=Save signature data
 windowtitle.error=Error
 windowtitle.savedir=Save signature data to directory
@@ -38,7 +38,8 @@ wait=<html>Please wait...</html>
 insertcard=<html>Please insert your citizen card into the reader</html>
 cardnotsupported=<html>Please insert your citizen card into the reader</html>
 enterpin=<html>Enter {0}</html>
-enterpin.pinpad=<html>Enter {0} ({1} digits) on card reader pinpad</html>
+enterpin.pinpad=<html>Enter PIN on card reader pinpad</html>
+enterpin.pinpad.direct=<html>Enter {0} ({1} digits) on card reader pinpad</html>
 hashdatalink=<html><a href=\"anzeige\">Display signature data</a></html>
 hashdatalink.tiny=<html><a href=\"anzeige\">signature data</a></html>
 hashdatalink.focus=<html><a href=\"anzeige\">[Display signature data]</a></html>
diff --git a/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java b/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java
index 6e345ee3..a2a84d6e 100644
--- a/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java
+++ b/BKUCommonGUI/src/test/java/at/gv/egiz/bku/gui/BKUGUIWorker.java
@@ -45,7 +45,7 @@ public class BKUGUIWorker implements Runnable {
 
   @Override
   public void run() {
-//        try {
+        try {
 
     final PINSpec signPinSpec = new PINSpec(6, 10, "[0-9]", "Test-PIN", (byte) 0x81, null);
     final PINSpec cardPinSpec = new PINSpec(4, 4, "[0-9]", "Test-PIN", (byte) 0x01, null);
@@ -155,7 +155,10 @@ public class BKUGUIWorker implements Runnable {
 //
 //            gui.showSignaturePINDialog(signPinSpec, -1, signListener, "sign", cancelListener, "cancel", hashdataListener, "hashdata");
 
-    gui.showPinpadSignaturePINDialog(signPinSpec, -1, hashdataListener, "hashdata");
+    gui.showSignatureDataDialog(signPinSpec, signListener, "sign", cancelListener, "cancel", hashdataListener, "hashdata");
+    Thread.sleep(2000);
+    
+    gui.showEnterPINDirect(signPinSpec, -1);
 //
 //            Thread.sleep(4000);
 //
@@ -189,8 +192,8 @@ public class BKUGUIWorker implements Runnable {
 //            gui.showTextPlainHashDataInput("hallo,\n welt!", "12345", null, "cancel", null, "save");
 //            Thread.sleep(2000);
 
-//        } catch (InterruptedException ex) {
-//            ex.printStackTrace();
-//        }
+        } catch (InterruptedException ex) {
+            ex.printStackTrace();
+        }
   }
 }
diff --git a/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/ComparePinDocument.java b/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/ComparePinDocument.java
new file mode 100644
index 00000000..623f6fad
--- /dev/null
+++ b/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/ComparePinDocument.java
@@ -0,0 +1,102 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.gui;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.swing.JButton;
+import javax.swing.text.AttributeSet;
+import javax.swing.text.BadLocationException;
+import javax.swing.text.Document;
+import javax.swing.text.PlainDocument;
+
+/**
+ * Checks if the pin confirmation (compareTo) corresponds to this pin.
+ * Additionally, checks if currentPIN (optional) meets the requirements before enabling the OK button.
+ * @author clemens
+ */
+class ComparePinDocument extends PlainDocument {
+
+  private static final long serialVersionUID = 1L;
+  protected Pattern pinPattern;
+  protected int minLength;
+  protected int maxLength;
+  protected JButton enterButton;
+  protected Document compareTo;
+  protected Document currentPIN;
+
+  /**
+   * Constructor without compareTo Document parameter (allow null and set later to avoid cyclic dependencies)
+   */
+  public ComparePinDocument(int minLength, int maxLength, String pattern, JButton enterButton) {
+    if (enterButton == null) {
+      throw new NullPointerException("OK button null");
+    }
+    if (pattern != null) {
+      pinPattern = Pattern.compile(pattern);
+    } else {
+      pinPattern = Pattern.compile(".");
+    }
+    this.minLength = minLength;
+    this.maxLength = maxLength;
+    this.enterButton = enterButton;
+  }
+
+  /**
+   * @param compareTo should not be null (allow null and set later to avoid cyclic dependencies)
+   */
+  public ComparePinDocument(int minLength, int maxLength, String pattern,
+          JButton enterButton, Document compareTo) {
+    this(minLength, maxLength, pattern, enterButton);
+    this.compareTo = compareTo;
+  }
+  
+  public ComparePinDocument(int minLength, int maxLength, String pattern,
+          JButton enterButton, Document compareTo, Document currentPIN) {
+    this(minLength, maxLength, pattern, enterButton, compareTo);
+    this.currentPIN = currentPIN;
+  }
+
+  @Override
+  public void insertString(int offs, String str, AttributeSet a) throws BadLocationException {
+    if (maxLength < 0 || maxLength >= (getLength() + str.length())) {
+      boolean matches = true;
+      for (int i = 0; i < str.length(); i++) {
+        Matcher m = pinPattern.matcher(str.substring(i, i + 1));
+        if (!m.matches()) {
+          matches = false;
+        }
+      }
+      if (matches) {
+        super.insertString(offs, str, a);
+        enterButton.setEnabled(
+                getLength() >= minLength
+                && (currentPIN == null || currentPIN.getLength() >= minLength)
+                && compareTo.getText(0, compareTo.getLength()).equals(getText(0, getLength())));
+      }
+    }
+  }
+
+  @Override
+  public void remove(int offs, int len) throws BadLocationException {
+    super.remove(offs, len);
+    enterButton.setEnabled(
+            getLength() >= minLength
+            && (currentPIN == null || currentPIN.getLength() >= minLength)
+            && compareTo.getText(0, compareTo.getLength()).equals(getText(0, getLength())));
+  }
+}
diff --git a/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/ExtendedPinDocument.java b/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/ExtendedPinDocument.java
new file mode 100644
index 00000000..3a0d7a66
--- /dev/null
+++ b/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/ExtendedPinDocument.java
@@ -0,0 +1,108 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.gui;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.swing.JButton;
+import javax.swing.text.AttributeSet;
+import javax.swing.text.BadLocationException;
+import javax.swing.text.Document;
+import javax.swing.text.PlainDocument;
+
+/**
+ * This PINDocument also checks if the additional (optional) pinDocuments also meet the requirements
+ * to enable the OK button. 
+ * Checks if (optional) newPIN and confirmPIN correspond
+ * 
+ * @author clemens
+ */
+class ExtendedPinDocument extends PlainDocument {
+
+  private static final long serialVersionUID = 1L;
+  protected Pattern pinPattern;
+  protected int minLength;
+  protected int maxLength;
+  protected JButton enterButton;
+  protected Document newPIN;
+  protected Document confirmPIN;
+
+  public ExtendedPinDocument(int minLength, int maxLength, String pattern, JButton enterButton) {
+    if (enterButton == null) {
+      throw new NullPointerException("OK Button null");
+    }
+    if (pattern != null) {
+      pinPattern = Pattern.compile(pattern);
+    } else {
+      pinPattern = Pattern.compile(".");
+    }
+    this.minLength = minLength;
+    this.maxLength = maxLength;
+    this.enterButton = enterButton;
+  }
+
+  /**
+   * @param pinSpec
+   * @param enterButton
+   * @param newPIN, confirmPIN
+   */
+  public ExtendedPinDocument(int minLength, int maxLength, String pattern, JButton enterButton, Document newPIN, Document confirmPIN) {
+    this(minLength, maxLength, pattern, enterButton);
+    this.newPIN = newPIN;
+    this.confirmPIN = confirmPIN;
+  }
+
+  @Override
+  public void insertString(int offs, String str, AttributeSet a) throws BadLocationException {
+    if (maxLength < 0 || maxLength >= (getLength() + str.length())) {
+      boolean matches = true;
+      for (int i = 0; i < str.length(); i++) {
+        Matcher m = pinPattern.matcher(str.substring(i, i + 1));
+        if (!m.matches()) {
+          matches = false;
+        }
+      }
+      if (matches) {
+        super.insertString(offs, str, a);
+        enterButton.setEnabled(
+                getLength() >= minLength
+                && (newPIN == null || newPIN.getLength() >= minLength)
+                && (confirmPIN == null || compare()));
+      }
+    }
+  }
+
+  @Override
+  public void remove(int offs, int len) throws BadLocationException {
+    super.remove(offs, len);
+    enterButton.setEnabled(
+            getLength() >= minLength
+            && (newPIN == null || newPIN.getLength() >= minLength)
+            && (confirmPIN == null || compare()));
+  }
+
+  /**
+   * assume confirmPIN != null
+   * @return
+   */
+  private boolean compare() throws BadLocationException {
+    if (newPIN != null) {
+      return confirmPIN.getText(0, confirmPIN.getLength()).equals(newPIN.getText(0, newPIN.getLength()));
+    }
+    return false;
+  }
+}
diff --git a/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUI.java b/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUI.java
index 5bbed096..4dcc388f 100644
--- a/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUI.java
+++ b/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUI.java
@@ -239,23 +239,7 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
   }
 
   @Override
-  public void showPINDialog(DIALOG type, PINSpec pinSpec,
-          ActionListener okListener, String okCommand,
-          ActionListener cancelListener, String cancelCommand) {
-    showPINDialog(type, pinSpec, -1, false,
-            okListener, okCommand, cancelListener, cancelCommand);
-  }
-
-  @Override
-  public void showPINDialog(DIALOG type, PINSpec pinSpec, int retries,
-          ActionListener okListener, String okCommand,
-          ActionListener cancelListener, String cancelCommand) {
-    showPINDialog(type, pinSpec, retries, false,
-            okListener, okCommand, cancelListener, cancelCommand);
-  }
-
-  @Override
-  public void showPinpadPINDialog(DIALOG type, PINSpec pinSpec, int retries) {
+  public void showModifyPINDirect(DIALOG type, PINSpec pinSpec, int retries) {
     String title, msg;
     Object[] params;
     if (retries < 0) {
@@ -269,19 +253,19 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
       if (type == DIALOG.CHANGE) {
         log.debug("show change pin dialog");
         title = TITLE_CHANGE_PIN;
-        msg = MESSAGE_CHANGEPIN_PINPAD;
+        msg = MESSAGE_CHANGE_PINPAD_DIREKT;
       } else if (type == DIALOG.ACTIVATE) {
         log.debug("show activate pin dialog");
         title = TITLE_ACTIVATE_PIN;
-        msg = MESSAGE_ENTERPIN_PINPAD;
+        msg = MESSAGE_ACTIVATE_PINPAD_DIREKT;
       } else if (type == DIALOG.VERIFY) {
         log.debug("show verify pin dialog");
-        title = TITLE_VERIFY_PIN;
-        msg = MESSAGE_ENTERPIN_PINPAD;
+        title = TITLE_VERIFY_PINPAD;
+        msg = MESSAGE_ENTERPIN_PINPAD_DIRECT;
       } else {
         log.debug("show unblock pin dialog");
         title = TITLE_UNBLOCK_PIN;
-        msg = MESSAGE_ENTERPIN_PINPAD;
+        msg = MESSAGE_UNBLOCK_PINPAD_DIREKT;
       }
 
     } else {
@@ -294,6 +278,15 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
     showMessageDialog(title, msg, params);
   }
 
+  @Override
+  public void showPINDialog(DIALOG type, PINSpec pinSpec, int retries,
+          ActionListener okListener, String okCommand,
+          ActionListener cancelListener, String cancelCommand) {
+    showPINDialog(type, pinSpec, retries, false,
+            okListener, okCommand, cancelListener, cancelCommand);
+  }
+
+
   private void showPINDialog(final DIALOG type, final PINSpec pinSpec,
           final int retries, final boolean pinpad,
           final ActionListener okListener, final String okCommand,
@@ -322,7 +315,7 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
                 } else if (type == DIALOG.VERIFY) {
                   log.debug("show verify pin dialog");
                   TITLE = TITLE_VERIFY_PIN;
-                  MESSAGE_MGMT = MESSAGE_VERIFY_PIN;
+                  MESSAGE_MGMT = MESSAGE_ENTERPIN;
                 } else {
                   log.debug("show unblock pin dialog");
                   TITLE = TITLE_UNBLOCK_PIN;
@@ -393,7 +386,7 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
                 if (pinpad) {
                   JLabel pinpadLabel = new JLabel();
                   pinpadLabel.setFont(mgmtLabel.getFont().deriveFont(mgmtLabel.getFont().getStyle() & ~Font.BOLD));
-                  String pinpadPattern = getMessage(MESSAGE_VERIFYPIN_PINPAD);
+                  String pinpadPattern = getMessage(MESSAGE_ENTERPIN_PINPAD);
                   pinpadLabel.setText(MessageFormat.format(pinpadPattern,
                           new Object[] { pinSpec.getLocalizedName(), pinSpec.getLocalizedLength() }));
                   
@@ -403,7 +396,7 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
                           .addComponent(pinpadLabel);
                 } else {
 
-                JButton okButton = new JButton();
+                final JButton okButton = new JButton();
                 okButton.setFont(okButton.getFont().deriveFont(okButton.getFont().getStyle() & ~Font.BOLD));
                 okButton.setText(getMessage(BUTTON_OK));
                 okButton.setEnabled(pinSpec.getMinLength() <= 0);
@@ -414,7 +407,7 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
                 JLabel repeatPinLabel = null;
                 JLabel pinLabel = new JLabel();
                 pinLabel.setFont(pinLabel.getFont().deriveFont(pinLabel.getFont().getStyle() & ~Font.BOLD));
-                String pinLabelPattern = (type == DIALOG.CHANGE) ? getMessage(LABEL_NEW_PIN) : getMessage(LABEL_PIN);
+                String pinLabelPattern = (type == DIALOG.CHANGE || type == DIALOG.UNBLOCK) ? getMessage(LABEL_NEW_PIN) : getMessage(LABEL_PIN);
                 pinLabel.setText(MessageFormat.format(pinLabelPattern, new Object[]{pinSpec.getLocalizedName()}));
 
                 final JPasswordField repeatPinField = new JPasswordField();
@@ -436,8 +429,6 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
                 });
 
                 if (type != DIALOG.VERIFY) {
-                  pinField.setDocument(
-                      new PINDocument(pinSpec.getRecMinLength(), pinSpec.getRecMaxLength(), pinSpec.getRexepPattern(), null));
                   repeatPinLabel = new JLabel();
                   repeatPinLabel.setFont(pinLabel.getFont());
                   String repeatPinLabelPattern = getMessage(LABEL_REPEAT_PIN);
@@ -449,22 +440,20 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
 
                       @Override
                       public void actionPerformed(ActionEvent e) {
-                          if (pinField.getPassword().length >= pinSpec.getMinLength()) {
+                          if (okButton.isEnabled()) {
                               okListener.actionPerformed(e);
                           }
                       }
                   });
 
-                  if (type == DIALOG.CHANGE) {
+                  if (type == DIALOG.CHANGE || type == DIALOG.UNBLOCK) {
                     oldPinLabel = new JLabel();
                     oldPinLabel.setFont(oldPinLabel.getFont().deriveFont(oldPinLabel.getFont().getStyle() & ~java.awt.Font.BOLD));
-                    String oldPinLabelPattern = getMessage(LABEL_OLD_PIN);
+                    String oldPinLabelPattern = getMessage((type == DIALOG.CHANGE) ? LABEL_OLD_PIN : LABEL_PUK);
                     oldPinLabel.setText(MessageFormat.format(oldPinLabelPattern, new Object[]{pinSpec.getLocalizedName()}));
 
                     oldPinField = new JPasswordField();
                     oldPinField.setText("");
-                    oldPinField.setDocument(
-                        new PINDocument(pinSpec.getMinLength(), pinSpec.getMaxLength(), pinSpec.getRexepPattern(), null));
                     oldPinField.setActionCommand(okCommand);
                     oldPinField.addActionListener(new ActionListener() {
 
@@ -476,16 +465,45 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
                         }
                     });
 
-                    repeatPinField.setDocument(
-                        new PINDocument(pinSpec.getRecMinLength(), pinSpec.getRecMaxLength(), pinSpec.getRexepPattern(), 
-                            okButton, pinField.getDocument(), oldPinField.getDocument()));
+                    ExtendedPinDocument oldPinDocument =
+                        new ExtendedPinDocument(pinSpec.getMinLength(), pinSpec.getMaxLength(),
+                            pinSpec.getRexepPattern(), okButton);
+                    ComparePinDocument newPinDocument =
+                        new ComparePinDocument(pinSpec.getRecMinLength(), pinSpec.getRecMaxLength(), pinSpec.getRexepPattern(),
+                            okButton);
+                    ComparePinDocument confirmPinDocument =
+                        new ComparePinDocument(pinSpec.getRecMinLength(), pinSpec.getRecMaxLength(), pinSpec.getRexepPattern(),
+                            okButton);
+
+                    oldPinDocument.newPIN = newPinDocument;
+                    oldPinDocument.confirmPIN = confirmPinDocument;
+                    
+                    newPinDocument.compareTo = confirmPinDocument;
+                    newPinDocument.currentPIN = oldPinDocument;
+                    confirmPinDocument.compareTo = newPinDocument;
+                    confirmPinDocument.currentPIN = oldPinDocument;
+
+                    oldPinField.setDocument(oldPinDocument);
+                    pinField.setDocument(newPinDocument);
+                    repeatPinField.setDocument(confirmPinDocument);
+
                   } else {
                     // else -> ACTIVATE (not verify, not change)
-                    repeatPinField.setDocument(
-                        new PINDocument(pinSpec.getRecMinLength(), pinSpec.getRecMaxLength(), pinSpec.getRexepPattern(), 
-                            okButton, pinField.getDocument()));
+                    ComparePinDocument newPinDocument =
+                        new ComparePinDocument(pinSpec.getRecMinLength(), pinSpec.getRecMaxLength(), pinSpec.getRexepPattern(),
+                            okButton);
+                    ComparePinDocument confirmPinDocument =
+                        new ComparePinDocument(pinSpec.getRecMinLength(), pinSpec.getRecMaxLength(), pinSpec.getRexepPattern(),
+                            okButton);
+
+                    newPinDocument.compareTo = confirmPinDocument;
+                    confirmPinDocument.compareTo = newPinDocument;
+
+                    pinField.setDocument(newPinDocument);
+                    repeatPinField.setDocument(confirmPinDocument);
                   }
                 } else {
+                  // VERIFY
                   pinField.setDocument(
                       new PINDocument(pinSpec.getMinLength(), pinSpec.getMaxLength(), pinSpec.getRexepPattern(), okButton));
                 }
@@ -534,7 +552,7 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
 //                } else {
 
 
-                  if (type == DIALOG.CHANGE) {
+                  if (type == DIALOG.CHANGE || type == DIALOG.UNBLOCK) {
                     pinHorizontal
                           .addGroup(mainPanelLayout.createSequentialGroup()
                             .addGroup(mainPanelLayout.createParallelGroup(GroupLayout.Alignment.LEADING)
@@ -675,4 +693,69 @@ public class PINManagementGUI extends CardMgmtGUI implements PINManagementGUIFac
     return bs;
   }
 
+  @Override
+  public void showEnterCurrentPIN(DIALOG type, PINSpec pinSpec, int retries) {
+    String title, message;
+//    Object[] params = null;
+    
+    if (type == PINManagementGUIFacade.DIALOG.VERIFY) {
+      title = PINManagementGUIFacade.TITLE_VERIFY_PINPAD;
+      message = BKUGUIFacade.MESSAGE_ENTERPIN_PINPAD;
+//      params = new Object[]{pinSpec.getLocalizedName(), pinSpec.getLocalizedLength()};
+    } else if (type == PINManagementGUIFacade.DIALOG.ACTIVATE) {
+      title = PINManagementGUIFacade.TITLE_ACTIVATE_PIN;
+      message = PINManagementGUIFacade.MESSAGE_ACTIVATE_PINPAD_CURRENT;
+//      params = new Object[]{pinSpec.getLocalizedName(), pinSpec.getLocalizedLength()};
+    } else if (type == PINManagementGUIFacade.DIALOG.CHANGE) {
+      title = PINManagementGUIFacade.TITLE_CHANGE_PIN;
+      message = PINManagementGUIFacade.MESSAGE_CHANGE_PINPAD_CURRENT;
+//      params = new Object[]{pinSpec.getLocalizedName(), pinSpec.getLocalizedLength()};
+    } else { //if (type == DIALOG.UNBLOCK) {
+      title = PINManagementGUIFacade.TITLE_UNBLOCK_PIN;
+      message = PINManagementGUIFacade.MESSAGE_UNBLOCK_PINPAD_CURRENT;
+//      params = new Object[]{pinSpec.getLocalizedName(), pinSpec.getLocalizedLength()};
+    }
+    showEnterPIN(pinSpec, retries, title, message, null);
+  }
+
+  @Override
+  public void showEnterNewPIN(DIALOG type, PINSpec pinSpec) {
+    String title, message;
+    if (type == PINManagementGUIFacade.DIALOG.ACTIVATE) {
+      title = PINManagementGUIFacade.TITLE_ACTIVATE_PIN;
+      message = PINManagementGUIFacade.MESSAGE_ACTIVATE_PINPAD_NEW;
+    } else if (type == PINManagementGUIFacade.DIALOG.CHANGE) {
+      title = PINManagementGUIFacade.TITLE_CHANGE_PIN;
+      message = PINManagementGUIFacade.MESSAGE_CHANGE_PINPAD_NEW;
+    } else if (type == DIALOG.UNBLOCK) {
+      title = PINManagementGUIFacade.TITLE_UNBLOCK_PIN;
+      message = PINManagementGUIFacade.MESSAGE_UNBLOCK_PINPAD_NEW;
+    } else {
+      log.error("enterNewPIN not supported for dialog type " + type);
+      showErrorDialog(ERR_UNKNOWN, null);
+      return;
+    }
+    showEnterPIN(pinSpec, -1, title, message, null);
+  }
+
+  @Override
+  public void showConfirmNewPIN(DIALOG type, PINSpec pinSpec) {
+    String title, message;
+    if (type == PINManagementGUIFacade.DIALOG.ACTIVATE) {
+      title = PINManagementGUIFacade.TITLE_ACTIVATE_PIN;
+      message = PINManagementGUIFacade.MESSAGE_ACTIVATE_PINPAD_CONFIRM;
+    } else if (type == PINManagementGUIFacade.DIALOG.CHANGE) {
+      title = PINManagementGUIFacade.TITLE_CHANGE_PIN;
+      message = PINManagementGUIFacade.MESSAGE_CHANGE_PINPAD_CONFIRM;
+    } else if (type == DIALOG.UNBLOCK) {
+      title = PINManagementGUIFacade.TITLE_UNBLOCK_PIN;
+      message = PINManagementGUIFacade.MESSAGE_UNBLOCK_PINPAD_CONFIRM;
+    } else {
+      log.error("enterNewPIN not supported for dialog type " + type);
+      showErrorDialog(ERR_UNKNOWN, null);
+      return;
+    }
+    showEnterPIN(pinSpec, -1, title, message, null);
+  }
+
 }
diff --git a/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUIFacade.java b/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUIFacade.java
index f99bcfd1..46ae18b9 100644
--- a/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUIFacade.java
+++ b/BKUGuiExt/src/main/java/at/gv/egiz/bku/gui/PINManagementGUIFacade.java
@@ -32,26 +32,39 @@ public interface PINManagementGUIFacade extends BKUGUIFacade {
   public static final String TITLE_PINMGMT = "title.pin.mgmt";
   public static final String TITLE_ACTIVATE_PIN = "title.activate.pin";
   public static final String TITLE_CHANGE_PIN = "title.change.pin";
-  public static final String TITLE_VERIFY_PIN = "title.verify.pin";
+//  public static final String TITLE_VERIFY_PIN = "title.verify.pin";
   public static final String TITLE_UNBLOCK_PIN = "title.unblock.pin";
   public static final String TITLE_ACTIVATE_SUCCESS = "title.activate.success";
+  public static final String TITLE_UNBLOCK_SUCCESS = "title.unblock.success";
   public static final String TITLE_CHANGE_SUCCESS = "title.change.success";
 
   // removed message.* prefix to reuse keys as help keys
   public static final String MESSAGE_ACTIVATE_SUCCESS = "activate.success";
   public static final String MESSAGE_CHANGE_SUCCESS = "change.success";
+  public static final String MESSAGE_UNBLOCK_SUCCESS = "unblock.success";
   public static final String MESSAGE_PINMGMT = "pin.mgmt";
 //  public static final String MESSAGE_PINPAD = "pinpad";
+
   public static final String MESSAGE_ACTIVATE_PIN = "activate.pin";
   public static final String MESSAGE_CHANGE_PIN = "change.pin";
-  public static final String MESSAGE_VERIFY_PIN = "verify.pin";
   public static final String MESSAGE_UNBLOCK_PIN = "unblock.pin";
-  public static final String MESSAGE_ACTIVATEPIN_PINPAD = "activate.pinpad";
-  public static final String MESSAGE_CHANGEPIN_PINPAD = "change.pinpad";
-  public static final String MESSAGE_VERIFYPIN_PINPAD = "verify.pinpad";
-  public static final String MESSAGE_UNBLOCKPIN_PINPAD = "unblock.pinpad";
+
+  public static final String MESSAGE_ACTIVATE_PINPAD_CURRENT = "activate.pinpad.current";
+  public static final String MESSAGE_CHANGE_PINPAD_CURRENT = "change.pinpad.current";
+  public static final String MESSAGE_UNBLOCK_PINPAD_CURRENT = "unblock.pinpad.current";
+  public static final String MESSAGE_ACTIVATE_PINPAD_NEW = "activate.pinpad.new";
+  public static final String MESSAGE_CHANGE_PINPAD_NEW = "change.pinpad.new";
+  public static final String MESSAGE_UNBLOCK_PINPAD_NEW = "unblock.pinpad.new";
+  public static final String MESSAGE_ACTIVATE_PINPAD_CONFIRM = "activate.pinpad.confirm";
+  public static final String MESSAGE_CHANGE_PINPAD_CONFIRM = "change.pinpad.confirm";
+  public static final String MESSAGE_UNBLOCK_PINPAD_CONFIRM = "unblock.pinpad.confirm";
+
+  public static final String MESSAGE_ACTIVATE_PINPAD_DIREKT = "activate.pinpad.direct";
+  public static final String MESSAGE_CHANGE_PINPAD_DIREKT = "change.pinpad.direct";
+  public static final String MESSAGE_UNBLOCK_PINPAD_DIREKT = "unblock.pinpad.direct";
 
   public static final String LABEL_OLD_PIN = "label.old.pin";
+  public static final String LABEL_PUK = "label.puk";
   public static final String LABEL_NEW_PIN = "label.new.pin";
   public static final String LABEL_REPEAT_PIN = "label.repeat.pin";
 
@@ -81,35 +94,34 @@ public interface PINManagementGUIFacade extends BKUGUIFacade {
   public enum STATUS { ACTIV, NOT_ACTIV, BLOCKED, UNKNOWN };
   public enum DIALOG { VERIFY, ACTIVATE, CHANGE, UNBLOCK };
 
+  /**
+   * list pins
+   */
   public void showPINManagementDialog(Map<PINSpec, STATUS> pins,
           ActionListener activateListener, String activateCmd, String changeCmd, String unblockCmd, String verifyCmd,
           ActionListener cancelListener, String cancelCmd);
 
-  public void showPINDialog(DIALOG type, PINSpec pin,
+  /**
+   * "software" pin-entry dialog (activate, change, unblock, verify)
+   */
+  public void showPINDialog(DIALOG type, PINSpec pinSpec, int retries,
           ActionListener okListener, String okCmd,
           ActionListener cancelListener, String cancelCmd);
 
-  public void showPINDialog(DIALOG type, PINSpec pin, int retries,
-          ActionListener okListener, String okCmd,
-          ActionListener cancelListener, String cancelCmd);
+  /**
+   * <b>direct</b> pinpad pin-entry dialog
+   */
+  public void showModifyPINDirect(DIALOG type, PINSpec pinSpec, int retries);
+
+  /**
+   * <b>start/finish</b> pinpad pin-entry dialog
+   */
+  public void showEnterCurrentPIN(DIALOG type, PINSpec pinSpec, int retries);
+
+  public void showEnterNewPIN(DIALOG type, PINSpec pinSpec);
+
+  public void showConfirmNewPIN(DIALOG type, PINSpec pinSpec);
 
-  public void showPinpadPINDialog(DIALOG type, PINSpec pin, int retries);
-
-//  public void showActivatePINDialog(PINSpec pin,
-//          ActionListener okListener, String okCmd,
-//          ActionListener cancelListener, String cancelCmd);
-//
-//  public void showChangePINDialog(PINSpec pin,
-//          ActionListener okListener, String okCmd,
-//          ActionListener cancelListener, String cancelCmd);
-//
-//  public void showUnblockPINDialog(PINSpec pin,
-//          ActionListener okListener, String okCmd,
-//          ActionListener cancelListener, String cancelCmd);
-//
-//  public void showVerifyPINDialog(PINSpec pin,
-//          ActionListener okListener, String okCmd,
-//          ActionListener cancelListener, String cancelCmd);
 
   public char[] getOldPin();
 
diff --git a/BKUGuiExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages.properties b/BKUGuiExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages.properties
index 977d6e3a..5ef3edee 100644
--- a/BKUGuiExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages.properties
+++ b/BKUGuiExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages.properties
@@ -15,30 +15,44 @@
 
 title.activation=<html>Aktivierung</html>
 title.pin.mgmt=<html>PIN Verwaltung</html>
-title.activate.pin=<html>PIN Aktivieren</html>
-title.change.pin=<html>PIN \u00C4ndern</html>
-title.unblock.pin=<html>PIN Entsperren</html>
-title.verify.pin=<html>PIN Eingeben</html>
+title.activate.pin=<html>PIN aktivieren</html>
+title.change.pin=<html>PIN \u00E4ndern</html>
+title.unblock.pin=<html>PIN entsperren</html>
+#title.verify.pin=<html>PIN Eingeben</html>
 title.activate.success=<html>Erfolg</html>
 title.change.success=<html>Erfolg</html>
+title.unblock.success=<html>Erfolg</html>
 
 # removed message.* prefix to reuse keys as help keys
 pin.mgmt=<html>Die Karte verf\u00FCgt \u00FCber {0} PINs</html>
+# software pin-entry messages
 activate.pin=<html>{0} eingeben und best\u00E4tigen</html>
 change.pin=<html>{0} eingeben und best\u00E4tigen</html>
 unblock.pin=<html>PUK zu {0} eingeben</html>
-verify.pin=<html>{0} eingeben</html>
-verify.pinpad=<html>{0} ({1} stellig) am Kartenleser eingeben (und best\u00E4tigen).</html>
-activate.pinpad=<html>{0} ({1} stellig) am Kartenleser eingeben und wiederholen (jeweils best\u00E4tigen).</html>
-change.pinpad=<html>Alte {0} ({1} stellig) am Kartenleser eingeben, danach neue {0} eingeben und wiederholen (jeweils best\u00E4tigen). </html>
-unblock.pinpad=<html>{0} ({1} stellig) am Kartenleser eingeben (und best\u00E4tigen).</html>
-activate.success=<html>{0} wurde erfolgreich aktiviert.</html>
-change.success=<html>{0} wurde erfolgreich ge\u00E4ndert.</html>
+# start/finish pin-entry messages
+activate.pinpad.current=<html>Transport-PIN am Kartenleser eingeben
+activate.pinpad.new=<html>Neue PIN am Kartenleser eingeben
+activate.pinpad.confirm=<html>Neue PIN am Kartenleser best\u00E4tigen
+change.pinpad.current=<html>Alte PIN am Kartenleser eingeben
+change.pinpad.new=<html>Neue PIN am Kartenleser eingeben
+change.pinpad.confirm=<html>Neue PIN am Kartenleser best\u00E4tigen
+unblock.pinpad.current=<html>PUK am Kartenleser eingeben
+unblock.pinpad.new=<html>Neue PIN am Kartenleser eingeben
+unblock.pinpad.confirm=<html>Neue PIN am Kartenleser best\u00E4tigen
+# direct pin-entry messages
+activate.pinpad.direct=<html>{0} ({1} stellig) am Kartenleser eingeben und wiederholen (jeweils best\u00E4tigen).</html>
+change.pinpad.direct=<html>Alte {0} ({1} stellig) am Kartenleser eingeben, danach neue {0} eingeben und wiederholen (jeweils best\u00E4tigen). </html>
+unblock.pinpad.direct=<html>{0} ({1} stellig) am Kartenleser eingeben (und best\u00E4tigen).</html>
+# response messages
+activate.success=<html>{0} wurde erfolgreich aktiviert
+change.success=<html>{0} wurde erfolgreich ge\u00E4ndert
+unblock.success=<html>{0} wurde erfolgreich entsperrt
 
 label.activation=<html>e-card Aktivierungsprozess</html>
 label.activation.step=<html>Schritt {0}</html>
 label.activation.idle=<html>Warte auf Server...</html>
 label.old.pin=<html>Alte {0}:</html>
+label.puk=<html>{0} PUK:</html>
 label.new.pin=<html>Neue {0}:</html>
 label.repeat.pin=<html>Best\u00E4tigung:</html>
 
diff --git a/BKUGuiExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages_en.properties b/BKUGuiExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages_en.properties
index 7f01971b..87e3f181 100644
--- a/BKUGuiExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages_en.properties
+++ b/BKUGuiExt/src/main/resources/at/gv/egiz/bku/gui/ActivationMessages_en.properties
@@ -16,29 +16,43 @@
 title.activation=<html>Activation</html>
 title.pin.mgmt=<html>PIN Management</html>
 title.activate.pin=<html>Activate PIN</html>
-title.verify.pin=<html>Enter PIN</html>
+#title.verify.pin=<html>Enter PIN</html>
 title.change.pin=<html>Change PIN</html>
 title.unblock.pin=<html>Unblock PIN</html>
 title.activate.success=<html>Success</html>
 title.change.success=<html>Success</html>
+title.unblock.success=<html>Success</html>
 
 # removed message.* prefix to reuse keys as help keys
-pin.mgmt=<html>The smartcard has {0} PINs</html>
-activate.pin=<html>Enter and confirm {0}</html>
-change.pin=<html>Enter and confirm {0}</html>
-unblock.pin=<html>Enter PUK for {0}</html>
-verify.pin=<html>Enter {0}</html>
-verify.pinpad=<html>Enter {0} ({1} digits) on cardreader (and confirm).</html>
-activate.pinpad=<html>Enter {0} ({1} digits) on cardreader and repeat (confirm in each case).</html>
-change.pinpad=<html>Enter old {0} ({1} digits) on cardreader, then enter new {0} and repeat (confirm in each case).</html>
-unblock.pinpad=<html>Enter {0} ({1} digits) on cardreader (and confirm).</html>
+pin.mgmt=<html>{0} PINs available
+# software pin-entry messages
+activate.pin=<html>Enter and confirm {0}
+change.pin=<html>Enter and confirm {0}
+unblock.pin=<html>Enter PUK for {0}
+# start/finish pin-entry messages
+activate.pinpad.current=<html>Enter transport-PIN on cardreader
+activate.pinpad.new=<html>Enter new PIN on cardreader
+activate.pinpad.confirm=<html>Confirm new PIN on cardreader
+change.pinpad.current=<html>Enter old PIN on cardreader
+change.pinpad.new=<html>Enter new PIN on cardreader
+change.pinpad.confirm=<html>Confirm new PIN on cardreader
+unblock.pinpad.current=<html>Enter PUK on cardreader
+unblock.pinpad.new=<html>Enter new PIN on cardreader
+unblock.pinpad.confirm=<html>Confirm new PIN on cardreader
+# direct pin-entry messages
+activate.pinpad.direct=<html>Enter {0} ({1} digits) on cardreader and repeat (confirm in each case)
+change.pinpad.direct=<html>Enter old {0} ({1} digits) on cardreader, then enter new {0} and repeat (confirm in each case)
+unblock.pinpad.direct=<html>Enter {0} ({1} digits) on cardreader, then enter new {0} and repeat (confirm in each case)
+# response messages
 activate.success=<html>{0} successfully activated</html>
 change.success=<html>{0} successfully changed</html>
+unblock.success=<html>{0} successfully unblocked
 
 label.activation=<html>e-card activation process</html>
 label.activation.step=<html>Step {0}</html>
 label.activation.idle=<html>Wait for server...</html>
 label.old.pin=<html>Old {0}:</html>
+label.puk=<html>{0} PUK:</html>
 label.new.pin=<html>New {0}:</html>
 label.repeat.pin=<html>Confirmation:</html>
 
diff --git a/BKUOnline/src/main/resources/log4j.properties b/BKUOnline/src/main/resources/log4j.properties
index 3eab8604..40133c83 100644
--- a/BKUOnline/src/main/resources/log4j.properties
+++ b/BKUOnline/src/main/resources/log4j.properties
@@ -15,7 +15,7 @@
 
 
 #log4j.rootLogger=DEBUG, STDOUT, file
-log4j.rootLogger=INFO, file
+log4j.rootLogger=TRACE, file
 #log4j.logger.at.gv = INFO
 
 
diff --git a/BKUOnline/src/main/webapp/META-INF/context.xml b/BKUOnline/src/main/webapp/META-INF/context.xml
index 2a2da79e..f38215a1 100644
--- a/BKUOnline/src/main/webapp/META-INF/context.xml
+++ b/BKUOnline/src/main/webapp/META-INF/context.xml
@@ -16,4 +16,4 @@
   limitations under the License.
 -->
 <!--Context path="/bkuonline"/-->
-<Context path="/bkuonline"/>
+<Context path=""/>
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
index 1ed5a177..b8cdb208 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java
@@ -16,6 +16,8 @@
 */
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.pin.gui.ModifyPINGUI;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -79,10 +81,16 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
 
   public static final byte KID_PIN_SIG = (byte) 0x81;
 
+  public static final byte KID_PUK_SIG = (byte) 0x83;
+
   public static final byte KID_PIN_DEC = (byte) 0x81;
 
+  public static final byte KID_PUK_DEC = (byte) 0x82;
+
   public static final byte KID_PIN_INF = (byte) 0x83;
 
+  public static final byte KID_PUK_INF = (byte) 0x84;
+
   public static final byte[] DST_SIG = new byte[] { (byte) 0x84, (byte) 0x01, // tag
       // ,
       // length
@@ -217,7 +225,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
 
   @Override
   @Exclusive
-  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+  public byte[] getInfobox(String infobox, PINGUI provider, String domainId)
       throws SignatureCardException, InterruptedException {
     
     if ("IdentityLink".equals(infobox)) {
@@ -233,7 +241,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   
   }
 
-  protected byte[] getIdentityLinkV1(PINProvider provider, String domainId) 
+  protected byte[] getIdentityLinkV1(PINGUI provider, String domainId)
       throws SignatureCardException, InterruptedException {
     
     try {
@@ -262,7 +270,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
     
   }
   
-  protected byte[] getIdentityLinkV2(PINProvider provider, String domainId)
+  protected byte[] getIdentityLinkV2(PINGUI provider, String domainId)
       throws SignatureCardException, InterruptedException {
     
     try {
@@ -388,7 +396,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   @Override
   @Exclusive
   public byte[] createSignature(InputStream input, KeyboxName keyboxName,
-      PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException {
+      PINGUI provider, String alg) throws SignatureCardException, InterruptedException, IOException {
   
     ByteArrayOutputStream dst = new ByteArrayOutputStream();
     // key ID
@@ -487,7 +495,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
    * @see at.gv.egiz.smcc.AbstractSignatureCard#verifyPIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.PINProvider)
    */
   @Override
-  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
+  public void verifyPIN(PINSpec pinSpec, PINGUI pinProvider)
       throws LockedException, NotActivatedException, CancelledException,
       TimeoutException, SignatureCardException, InterruptedException {
 
@@ -509,7 +517,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
    * @see at.gv.egiz.smcc.AbstractSignatureCard#changePIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.ChangePINProvider)
    */
   @Override
-  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider)
+  public void changePIN(PINSpec pinSpec, ModifyPINGUI pinProvider)
       throws LockedException, NotActivatedException, CancelledException,
       TimeoutException, SignatureCardException, InterruptedException {
 
@@ -528,7 +536,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   }
 
   @Override
-  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider)
+  public void activatePIN(PINSpec pinSpec, ModifyPINGUI pinGUI)
       throws CancelledException, SignatureCardException, CancelledException,
       TimeoutException, InterruptedException {
     log.error("ACTIVATE PIN not supported by ACOS");
@@ -536,7 +544,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   }
 
   @Override
-  public void unblockPIN(PINSpec pinSpec, PINProvider pinProvider)
+  public void unblockPIN(PINSpec pinSpec, ModifyPINGUI pinGUI)
       throws CancelledException, SignatureCardException, InterruptedException {
     throw new SignatureCardException("Unblock PIN not supported.");
   }
@@ -570,10 +578,8 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   // PROTECTED METHODS (assume exclusive card access)
   ////////////////////////////////////////////////////////////////////////
 
-  protected void verifyPINLoop(CardChannel channel, PINSpec spec, PINProvider provider)
-      throws InterruptedException, LockedException, NotActivatedException,
-      TimeoutException, PINFormatException, PINOperationAbortedException,
-      SignatureCardException, CardException {
+  protected void verifyPINLoop(CardChannel channel, PINSpec spec, PINGUI provider)
+      throws InterruptedException, CardException, SignatureCardException {
     
     int retries = -1;
     do {
@@ -581,10 +587,8 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
     } while (retries > 0);
   }
 
-  protected void changePINLoop(CardChannel channel, PINSpec spec, ChangePINProvider provider)
-      throws InterruptedException, LockedException, NotActivatedException,
-      TimeoutException, PINFormatException, PINOperationAbortedException,
-      SignatureCardException, CardException {
+  protected void changePINLoop(CardChannel channel, PINSpec spec, ModifyPINGUI provider)
+      throws InterruptedException, CardException, SignatureCardException {
 
     int retries = -1;
     do {
@@ -593,7 +597,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   }
 
   protected int verifyPIN(CardChannel channel, PINSpec pinSpec,
-      PINProvider provider, int retries) throws InterruptedException, CardException, SignatureCardException {
+      PINGUI provider, int retries) throws InterruptedException, CardException, SignatureCardException {
     
     VerifyAPDUSpec apduSpec = new VerifyAPDUSpec(
         new byte[] {
@@ -602,7 +606,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
             (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00 }, 
         0, VerifyAPDUSpec.PIN_FORMAT_ASCII, 8);
     
-    ResponseAPDU resp = reader.verify(channel, apduSpec, pinSpec, provider, retries);
+    ResponseAPDU resp = reader.verify(channel, apduSpec, provider, pinSpec, retries);
     
     if (resp.getSW() == 0x9000) {
       return -1;
@@ -625,7 +629,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
   }
 
   protected int changePIN(CardChannel channel, PINSpec pinSpec,
-      ChangePINProvider pinProvider, int retries) throws CancelledException, InterruptedException, CardException, SignatureCardException {
+      ModifyPINGUI pinProvider, int retries) throws CancelledException, InterruptedException, CardException, SignatureCardException {
 
     ChangeReferenceDataAPDUSpec apduSpec = new ChangeReferenceDataAPDUSpec(
         new byte[] {
@@ -639,7 +643,7 @@ public class ACOSCard extends AbstractSignatureCard implements PINMgmtSignatureC
     
     
     
-    ResponseAPDU resp = reader.modify(channel, apduSpec, pinSpec, pinProvider, retries);
+    ResponseAPDU resp = reader.modify(channel, apduSpec, pinProvider, pinSpec, retries);
     
     if (resp.getSW() == 0x9000) {
       return -1;
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
index 54b4c7fe..fcb94fc6 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/AbstractSignatureCard.java
@@ -16,6 +16,8 @@
 */
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.reader.CardReader;
+import at.gv.egiz.smcc.reader.ReaderFactory;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
@@ -29,9 +31,6 @@ import javax.smartcardio.CardTerminal;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import at.gv.egiz.smcc.ccid.CCID;
-import at.gv.egiz.smcc.ccid.ReaderFactory;
-
 public abstract class AbstractSignatureCard implements SignatureCard {
 
   private static Log log = LogFactory.getLog(AbstractSignatureCard.class);
@@ -45,7 +44,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
 
   private Card card_;
   
-  protected CCID reader;
+  protected CardReader reader;
 
   protected AbstractSignatureCard(String resourceBundleName) {
     this.resourceBundleName = resourceBundleName;
@@ -68,7 +67,7 @@ public abstract class AbstractSignatureCard implements SignatureCard {
   @Override
   public void init(Card card, CardTerminal cardTerminal) {
     this.card_ = card;
-    this.reader = ReaderFactory.getInstance().getReader(card, cardTerminal);
+    this.reader = ReaderFactory.getReader(card, cardTerminal);
   }
   
   @Override
@@ -80,11 +79,6 @@ public abstract class AbstractSignatureCard implements SignatureCard {
     return new LogCardChannel(card_.getBasicChannel());
   }
 
-  @Override
-  public CCID getReader() {
-    return reader;
-  }
-
   @Override
   public void setLocale(Locale locale) {
     if (locale == null) {
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java b/smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java
index e02a55d4..41358bb5 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/BELPICCard.java
@@ -18,6 +18,7 @@
 
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.pin.gui.PINGUI;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.MessageDigest;
@@ -110,7 +111,7 @@ public class BELPICCard extends AbstractSignatureCard implements SignatureCard {
 
   @Override
   @Exclusive
-  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+  public byte[] getInfobox(String infobox, PINGUI provider, String domainId)
       throws SignatureCardException, InterruptedException {
       
     throw new IllegalArgumentException("Infobox '" + infobox
@@ -120,7 +121,7 @@ public class BELPICCard extends AbstractSignatureCard implements SignatureCard {
   @Override
   @Exclusive
   public byte[] createSignature(InputStream input, KeyboxName keyboxName,
-      PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException {
+      PINGUI provider, String alg) throws SignatureCardException, InterruptedException, IOException {
     
     if (KeyboxName.SECURE_SIGNATURE_KEYPAIR != keyboxName) {
       throw new SignatureCardException("Card does not support key " + keyboxName + ".");
@@ -176,7 +177,7 @@ public class BELPICCard extends AbstractSignatureCard implements SignatureCard {
   }
   
   protected void verifyPINLoop(CardChannel channel, PINSpec spec,
-      PINProvider provider) throws LockedException, NotActivatedException,
+      PINGUI provider) throws LockedException, NotActivatedException,
       SignatureCardException, InterruptedException, CardException {
     
     int retries = -1; //verifyPIN(channel, spec, null, -1);
@@ -186,7 +187,7 @@ public class BELPICCard extends AbstractSignatureCard implements SignatureCard {
   }
 
   protected int verifyPIN(CardChannel channel, PINSpec pinSpec,
-      PINProvider provider, int retries) throws SignatureCardException,
+      PINGUI provider, int retries) throws SignatureCardException,
       LockedException, NotActivatedException, InterruptedException,
       CardException {
     
@@ -197,7 +198,7 @@ public class BELPICCard extends AbstractSignatureCard implements SignatureCard {
             (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
         1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4);
     
-    ResponseAPDU resp = reader.verify(channel, apduSpec, pinSpec, provider, retries);
+    ResponseAPDU resp = reader.verify(channel, apduSpec, provider, pinSpec, retries);
     
     if (resp.getSW() == 0x9000) {
       return -1;
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ChangePINProvider.java b/smcc/src/main/java/at/gv/egiz/smcc/ChangePINProvider.java
deleted file mode 100644
index 41010551..00000000
--- a/smcc/src/main/java/at/gv/egiz/smcc/ChangePINProvider.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.smcc;
-
-/**
- *
- * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
- */
-public interface ChangePINProvider extends PINProvider {
-
-  /**
-   *
-   * @param spec
-   * @param retries
-   * @return null if no old value for this pin
-   * @throws at.gv.egiz.smcc.CancelledException if cancelled by user
-   * @throws java.lang.InterruptedException
-   */
-  public char[] provideOldPIN(PINSpec spec, int retries)
-          throws CancelledException, InterruptedException;
-
-}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ITCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ITCard.java
index 831a1f9b..64389190 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/ITCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ITCard.java
@@ -17,6 +17,7 @@
 
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.pin.gui.PINGUI;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -96,7 +97,7 @@ public class ITCard extends AbstractSignatureCard {
 
   @Override
   @Exclusive
-  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+  public byte[] getInfobox(String infobox, PINGUI provider, String domainId)
       throws SignatureCardException, InterruptedException {
       
     throw new IllegalArgumentException("Infobox '" + infobox
@@ -106,7 +107,7 @@ public class ITCard extends AbstractSignatureCard {
   @Override
   @Exclusive
   public byte[] createSignature(InputStream input, KeyboxName keyboxName,
-      PINProvider provider, String alg) throws SignatureCardException,
+      PINGUI provider, String alg) throws SignatureCardException,
       InterruptedException, IOException {
 
     if (KeyboxName.SECURE_SIGNATURE_KEYPAIR != keyboxName) {
@@ -159,7 +160,7 @@ public class ITCard extends AbstractSignatureCard {
   }
 
   protected void verifyPINLoop(CardChannel channel, PINSpec spec,
-      PINProvider provider) throws LockedException, NotActivatedException,
+      PINGUI provider) throws LockedException, NotActivatedException,
       SignatureCardException, InterruptedException, CardException {
     
     int retries = -1;
@@ -169,7 +170,7 @@ public class ITCard extends AbstractSignatureCard {
   }
 
   protected int verifyPIN(CardChannel channel, PINSpec pinSpec,
-      PINProvider provider, int retries) throws SignatureCardException,
+      PINGUI provider, int retries) throws SignatureCardException,
       LockedException, NotActivatedException, InterruptedException,
       CardException {
     
@@ -180,7 +181,7 @@ public class ITCard extends AbstractSignatureCard {
             (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
         0, VerifyAPDUSpec.PIN_FORMAT_ASCII, 8);
     
-    ResponseAPDU resp = reader.verify(channel, apduSpec, pinSpec, provider, retries);
+    ResponseAPDU resp = reader.verify(channel, apduSpec, provider, pinSpec, retries);
     
     if (resp.getSW() == 0x9000) {
       return -2;
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINConfirmationException.java b/smcc/src/main/java/at/gv/egiz/smcc/PINConfirmationException.java
index eaf38435..24dfa53c 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINConfirmationException.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINConfirmationException.java
@@ -23,23 +23,4 @@ package at.gv.egiz.smcc;
  * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
  */
 public class PINConfirmationException extends SignatureCardException {
-
-  private static final long serialVersionUID = 1L;
-
-  public PINConfirmationException() {
-    super();
-  }
-
-  public PINConfirmationException(String message, Throwable cause) {
-    super(message, cause);
-  }
-
-  public PINConfirmationException(String message) {
-    super(message);
-  }
-
-  public PINConfirmationException(Throwable cause) {
-    super(cause);
-  }
-
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINFormatException.java b/smcc/src/main/java/at/gv/egiz/smcc/PINFormatException.java
index 774fcdf5..721c63e2 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINFormatException.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINFormatException.java
@@ -23,23 +23,4 @@ package at.gv.egiz.smcc;
  * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
  */
 public class PINFormatException extends SignatureCardException {
-
-  private static final long serialVersionUID = 1L;
-
-  public PINFormatException() {
-    super();
-  }
-
-  public PINFormatException(String message, Throwable cause) {
-    super(message, cause);
-  }
-
-  public PINFormatException(String message) {
-    super(message);
-  }
-
-  public PINFormatException(Throwable cause) {
-    super(cause);
-  }
-
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINMgmtSignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/PINMgmtSignatureCard.java
index 53738612..5091c10f 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINMgmtSignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/PINMgmtSignatureCard.java
@@ -16,6 +16,9 @@
 */
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.pin.gui.ModifyPINGUI;
+
+import at.gv.egiz.smcc.pin.gui.PINGUI;
 import java.util.List;
 
 public interface PINMgmtSignatureCard extends SignatureCard {
@@ -26,16 +29,16 @@ public interface PINMgmtSignatureCard extends SignatureCard {
 
   public PIN_STATE getPINState(PINSpec pinSpec) throws SignatureCardException;
   
-  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
+  public void verifyPIN(PINSpec pinSpec, PINGUI pinGUI)
   throws LockedException, NotActivatedException, CancelledException, SignatureCardException, InterruptedException;
 
-  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider)
+  public void changePIN(PINSpec pinSpec, ModifyPINGUI changePINGUI)
   throws LockedException, NotActivatedException, CancelledException, PINFormatException, SignatureCardException, InterruptedException;
 
-  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider)
+  public void activatePIN(PINSpec pinSpec, ModifyPINGUI activatePINGUI)
   throws CancelledException, SignatureCardException, InterruptedException;
 
-  public void unblockPIN(PINSpec pinSpec, PINProvider pukProvider)
+  public void unblockPIN(PINSpec pinSpec, ModifyPINGUI pukGUI)
   throws CancelledException, SignatureCardException, InterruptedException;
 
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java b/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
deleted file mode 100644
index 5c294b5b..00000000
--- a/smcc/src/main/java/at/gv/egiz/smcc/PINProvider.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
-* Copyright 2008 Federal Chancellery Austria and
-* Graz University of Technology
-*
-* Licensed under the Apache License, Version 2.0 (the "License");
-* you may not use this file except in compliance with the License.
-* You may obtain a copy of the License at
-*
-*     http://www.apache.org/licenses/LICENSE-2.0
-*
-* Unless required by applicable law or agreed to in writing, software
-* distributed under the License is distributed on an "AS IS" BASIS,
-* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-* See the License for the specific language governing permissions and
-* limitations under the License.
-*/
-package at.gv.egiz.smcc;
-
-/**
- * The number of retries is not fixed and there is no way (?) to obtain this value.
- * A PINProvider should therefore maintain an internal retry counter or flag
- * to decide whether or not to warn the user (num retries passed in providePIN).
- *
- * Therefore PINProvider objects should not be reused.
- *
- * (ACOS: reload counter: between 0 and 15, where 15 meens deactivated)
- *
- * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
- */
-public interface PINProvider {
-
-  /**
-   *
-   * @param spec
-   * @param retries num of remaining retries or -1 if unknown
-   * (a positive value does <em>not</em> necessarily signify that there was
-   * already an unsuccessful PIN verification)
-   * @return pin != null
-   * @throws at.gv.egiz.smcc.CancelledException
-   * @throws java.lang.InterruptedException
-   */
-  public char[] providePIN(PINSpec spec, int retries)
-          throws CancelledException, InterruptedException;
-
-}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ResetRetryCounterAPDUSpec.java b/smcc/src/main/java/at/gv/egiz/smcc/ResetRetryCounterAPDUSpec.java
new file mode 100644
index 00000000..7e71eb7e
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/ResetRetryCounterAPDUSpec.java
@@ -0,0 +1,38 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc;
+
+public class ResetRetryCounterAPDUSpec extends ChangeReferenceDataAPDUSpec {
+
+  /**
+   * @param apdu
+   * @param pukPosition
+   * @param pukFormat
+   * @param pukLength
+   * @param pukLengthSize
+   * @param pukLengthPos
+   * @param pinInsertionOffsetNew
+   */
+  public ResetRetryCounterAPDUSpec(byte[] apdu, int pukPosition,
+      int pukFormat, int pukLength, int pukLengthSize, int pukLengthPos,
+      int pinInsertionOffsetNew) {
+    super(apdu, pukPosition, pukFormat, pukLength, pukLengthSize, pukLengthPos);
+    this.pinInsertionOffsetNew = pinInsertionOffsetNew;
+  }
+
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index 79a4cc69..ad05352f 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -17,6 +17,8 @@
 
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.pin.gui.ModifyPINGUI;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -225,7 +227,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
   
   @Override
   @Exclusive
-  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+  public byte[] getInfobox(String infobox, PINGUI pinGUI, String domainId)
       throws SignatureCardException, InterruptedException {
   
     try {
@@ -243,7 +245,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
           try {
             return ISO7816Utils.readTransparentFileTLV(channel, -1, (byte) 0x30);
           } catch (SecurityStatusNotSatisfiedException e) {
-            verifyPINLoop(channel, spec, provider);
+            verifyPINLoop(channel, spec, pinGUI);
           }
         }
         
@@ -301,7 +303,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
   @Override
   @Exclusive
   public byte[] createSignature(InputStream input, KeyboxName keyboxName,
-      PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException {
+      PINGUI provider, String alg) throws SignatureCardException, InterruptedException, IOException {
   
     ByteArrayOutputStream dst = new ByteArrayOutputStream();
     byte[] ht = null;
@@ -431,7 +433,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
    */
   @Override
   @Exclusive
-  public void verifyPIN(PINSpec pinSpec, PINProvider pinProvider)
+  public void verifyPIN(PINSpec pinSpec, PINGUI pinProvider)
       throws LockedException, NotActivatedException, CancelledException,
       TimeoutException, SignatureCardException, InterruptedException {
     
@@ -442,12 +444,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
         // SELECT application
         execSELECT_AID(channel, pinSpec.getContextAID());
       }
-      log.debug("*** verifyPIN loop");
       verifyPINLoop(channel, pinSpec, pinProvider);
-//      log.debug("*** verifyPIN 0");
-//      int retries = verifyPIN(channel, pinSpec, null, 0);
-//      log.debug("*** verifyPIN " + retries + " tries");
-//      verifyPIN(channel, pinSpec, pinProvider, retries);
     } catch (CardException e) {
       log.info("Failed to verify PIN.", e);
       throw new SignatureCardException("Failed to verify PIN.", e);
@@ -460,7 +457,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
    */
   @Override
   @Exclusive
-  public void changePIN(PINSpec pinSpec, ChangePINProvider pinProvider)
+  public void changePIN(PINSpec pinSpec, ModifyPINGUI pinGUI)
       throws LockedException, NotActivatedException, CancelledException,
       TimeoutException, SignatureCardException, InterruptedException {
     
@@ -471,9 +468,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
         // SELECT application
         execSELECT_AID(channel, pinSpec.getContextAID());
       }
-      changePINLoop(channel, pinSpec, pinProvider);
-//      int retries = verifyPIN(channel, pinSpec, null, 0);
-//      changePIN(channel, pinSpec, pinProvider, retries);
+      changePINLoop(channel, pinSpec, pinGUI);
     } catch (CardException e) {
       log.info("Failed to change PIN.", e);
       throw new SignatureCardException("Failed to change PIN.", e);
@@ -486,7 +481,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
    */
   @Override
   @Exclusive
-  public void activatePIN(PINSpec pinSpec, PINProvider pinProvider)
+  public void activatePIN(PINSpec pinSpec, ModifyPINGUI activatePINGUI)
       throws CancelledException, SignatureCardException, CancelledException,
       TimeoutException, InterruptedException {
 
@@ -497,7 +492,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
         // SELECT application
         execSELECT_AID(channel, pinSpec.getContextAID());
       }
-      activatePIN(channel, pinSpec, pinProvider);
+      activatePIN(channel, pinSpec, activatePINGUI);
     } catch (CardException e) {
       log.info("Failed to activate PIN.", e);
       throw new SignatureCardException("Failed to activate PIN.", e);
@@ -509,9 +504,16 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
    * @see at.gv.egiz.smcc.PINMgmtSignatureCard#unblockPIN(at.gv.egiz.smcc.PINSpec, at.gv.egiz.smcc.PINProvider)
    */
   @Override
-  public void unblockPIN(PINSpec pinSpec, PINProvider pukProvider)
+  public void unblockPIN(PINSpec pinSpec, ModifyPINGUI pukProvider)
       throws CancelledException, SignatureCardException, InterruptedException {
-    throw new SignatureCardException("Unblock PIN is not supported.");
+    CardChannel channel = getCardChannel();
+
+    try {
+      unblockPINLoop(channel, pinSpec, pukProvider);
+    } catch (CardException e) {
+      log.info("Failed to activate PIN.", e);
+      throw new SignatureCardException("Failed to activate PIN.", e);
+    }
   }
 
   @Override
@@ -574,7 +576,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
   // PROTECTED METHODS (assume exclusive card access)
   ////////////////////////////////////////////////////////////////////////
   
-  protected void verifyPINLoop(CardChannel channel, PINSpec spec, PINProvider provider)
+  protected void verifyPINLoop(CardChannel channel, PINSpec spec, PINGUI provider)
       throws LockedException, NotActivatedException, SignatureCardException,
       InterruptedException, CardException {
     
@@ -584,7 +586,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
     } while (retries > 0);
   }
 
-  protected void changePINLoop(CardChannel channel, PINSpec spec, ChangePINProvider provider)
+  protected void changePINLoop(CardChannel channel, PINSpec spec, ModifyPINGUI provider)
       throws LockedException, NotActivatedException, SignatureCardException,
       InterruptedException, CardException {
 
@@ -594,8 +596,19 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
     } while (retries > 0);
   }
   
+  protected void unblockPINLoop(CardChannel channel, PINSpec spec, ModifyPINGUI provider)
+      throws LockedException, NotActivatedException, SignatureCardException,
+      InterruptedException, CardException {
+
+    //TODO get PUK retry counter from EF FID 0036 in MF
+    int retries = -1;
+    do {
+      retries = unblockPIN(channel, spec, provider, retries);
+    } while (retries > 0);
+  }
+
   protected int verifyPIN(CardChannel channel, PINSpec pinSpec,
-      PINProvider provider, int retries) throws SignatureCardException,
+      PINGUI provider, int retries) throws SignatureCardException,
       LockedException, NotActivatedException, InterruptedException,
       CardException {
     
@@ -608,108 +621,135 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
     
     ResponseAPDU resp;
     if (provider != null) {
-      resp = reader.verify(channel, apduSpec, pinSpec, provider, retries);
+      resp = reader.verify(channel, apduSpec, provider, pinSpec, retries);
     } else {
       resp = channel.transmit(new CommandAPDU(0x00, 0x20, 0x00, pinSpec.getKID()));
     }
-    
+
+
     if (resp.getSW() == 0x9000) {
       return -1;
-    }
-    if (resp.getSW() == 0x63c0) {
-      // returned by the 'short' VERIFY
+    } else if (resp.getSW() == 0x6983 || resp.getSW() == 0x63c0) {
+      // authentication method blocked (0x63c0 returned by 'short' VERIFY)
       throw new LockedException();
-    }
-    if (resp.getSW() >> 4 == 0x63c) {
-      return 0x0f & resp.getSW();
-    }
-    
-    switch (resp.getSW()) {
-    case 0x6983:
-      // authentication method blocked
-      // returned by the 'long' VERIFY
-      throw new LockedException();
-    case 0x6984:
-      // reference data not usable
+    } else if (resp.getSW() == 0x6984 || resp.getSW() == 0x6985) {
+      // reference data not usable; conditions of use not satisfied
       throw new NotActivatedException();
-    case 0x6985:
-      // conditions of use not satisfied
+    } else if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    } else if (version > 1.2 && resp.getSW() == 0x6400) {
+      log.warn("cannot query pin status prior to card activation");
       throw new NotActivatedException();
-  
-    default:
+    } else {
       String msg = "VERIFY failed. SW=" + Integer.toHexString(resp.getSW()); 
       log.info(msg);
       throw new SignatureCardException(msg);
     }
-    
   }
   
   protected int changePIN(CardChannel channel, PINSpec pinSpec,
-      ChangePINProvider pinProvider, int retries) throws CancelledException,
+      ModifyPINGUI pinProvider, int retries) throws CancelledException,
       InterruptedException, CardException, SignatureCardException {
-    
-    ChangeReferenceDataAPDUSpec apduSpec = new ChangeReferenceDataAPDUSpec(
-        new byte[] { 
-            (byte) 0x00, (byte) 0x24, (byte) 0x00, pinSpec.getKID(), (byte) 0x10, 
-            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, 
-            (byte) 0xff, (byte) 0xff, (byte) 0xff, 
-            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, 
-            (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
+
+      ChangeReferenceDataAPDUSpec apduSpec = new ChangeReferenceDataAPDUSpec(
+        new byte[] {
+            (byte) 0x00, (byte) 0x24, (byte) 0x00, pinSpec.getKID(), (byte) 0x10,
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff },
         1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4, 8);
-    
-    ResponseAPDU resp = reader.modify(channel, apduSpec, pinSpec, pinProvider, retries);
-    
+
+    ResponseAPDU resp = reader.modify(channel, apduSpec, pinProvider, pinSpec, retries);
+
     if (resp.getSW() == 0x9000) {
       return -1;
-    }
-    if (resp.getSW() >> 4 == 0x63c) {
-      return 0x0f & resp.getSW();
-    }
-    
-    switch (resp.getSW()) {
-    case 0x6983:
+    } else if (resp.getSW() == 0x6983) {
       // authentication method blocked
       throw new LockedException();
-  
-    default:
+    } else if (resp.getSW() == 0x6984) {
+      throw new NotActivatedException();
+    } else if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    } else {
       String msg = "CHANGE REFERENCE DATA failed. SW=" + Integer.toHexString(resp.getSW()); 
       log.info(msg);
       throw new SignatureCardException(msg);
     }
-   
-    
   }
 
   protected int activatePIN(CardChannel channel, PINSpec pinSpec,
-      PINProvider provider) throws SignatureCardException,
+      ModifyPINGUI provider) throws SignatureCardException,
       InterruptedException, CardException {
     
-    NewReferenceDataAPDUSpec apduSpec = new NewReferenceDataAPDUSpec(
+    ResponseAPDU resp;
+    if (version < 1.2) {
+      NewReferenceDataAPDUSpec apduSpec = new NewReferenceDataAPDUSpec(
+          new byte[] {
+              (byte) 0x00, (byte) 0x24, (byte) 0x01, pinSpec.getKID(), (byte) 0x08,
+              (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+              (byte) 0xff, (byte) 0xff, (byte) 0xff },
+          1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4);
+
+      resp = reader.modify(channel, apduSpec, provider, pinSpec);
+    } else {
+      NewReferenceDataAPDUSpec apduSpec = new NewReferenceDataAPDUSpec(
+          new byte[] {
+              (byte) 0x00, (byte) 0x24, (byte) 0x00, pinSpec.getKID(), (byte) 0x10,
+              (byte) 0x26, (byte) 0x12, (byte) 0x34, (byte) 0x56, (byte) 0xff,
+              (byte) 0xff, (byte) 0xff, (byte) 0xff, 
+              (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+              (byte) 0xff, (byte) 0xff, (byte) 0xff },
+          1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4);
+      apduSpec.setPinInsertionOffsetNew(8);
+      resp = reader.modify(channel, apduSpec, provider, pinSpec);
+    }
+
+    if (resp.getSW() == 0x9000) {
+      return -1;
+    } else {
+      String msg = "CHANGE REFERENCE DATA failed. SW=" + Integer.toHexString(resp.getSW());
+      log.info(msg);
+      throw new SignatureCardException(msg);
+    }
+  }
+  
+  protected int unblockPIN(CardChannel channel, PINSpec pinSpec,
+      ModifyPINGUI provider, int retries) throws SignatureCardException,
+      InterruptedException, CardException {
+
+    if (version < 1.2) {
+      // would return 0x6982 (Security status not satisfied)
+      throw new SignatureCardException("RESET RETRY COUNTER is not supported by this card.");
+    }
+
+    ResetRetryCounterAPDUSpec apduSpec = new ResetRetryCounterAPDUSpec(
         new byte[] {
-            (byte) 0x00, (byte) 0x24, (byte) 0x01, pinSpec.getKID(), (byte) 0x08,
+            (byte) 0x00, (byte) 0x2c, (byte) 0x00, pinSpec.getKID(), (byte) 0x10,
             (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
-            (byte) 0xff, (byte) 0xff, (byte) 0xff }, 
-        1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4);
-    
-    ResponseAPDU resp = reader.activate(channel, apduSpec, pinSpec, provider);
-    
-    switch (resp.getSW()) {
-    
-    case 0x9000:
-      return -1;
+            (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0x20, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff,
+            (byte) 0xff, (byte) 0xff, (byte) 0xff },
+        1, VerifyAPDUSpec.PIN_FORMAT_BCD, 7, 4, 4, 8);
 
-    case 0x6983:
-      // authentication method blocked
-      throw new LockedException();
+    ResponseAPDU resp = reader.modify(channel, apduSpec, provider, pinSpec, retries);
 
-    default:
-      String msg = "CHANGE REFERENCE DATA failed. SW=" + Integer.toHexString(resp.getSW()); 
+    if (resp.getSW() == 0x9000) {
+      return -1;
+    } else if (resp.getSW() == 0x6983) {
+      // PUK blocked
+      throw new LockedException();
+    } else if (resp.getSW() == 0x6984) {
+      throw new NotActivatedException();
+    } else if (resp.getSW() >> 4 == 0x63c) {
+      return 0x0f & resp.getSW();
+    } else {
+      String msg = "RESET RETRY COUNTER failed. SW=" + Integer.toHexString(resp.getSW());
       log.info(msg);
       throw new SignatureCardException(msg);
     }
-    
   }
-  
+
   protected void execSELECT_MF(CardChannel channel) throws CardException, SignatureCardException {
     ResponseAPDU resp = channel.transmit(
         new CommandAPDU(0x00, 0xA4, 0x00, 0x0C));
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
index 670704d5..73c7faa8 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java
@@ -40,15 +40,12 @@ import java.util.Enumeration;
 import java.util.Locale;
 
 import javax.smartcardio.Card;
-import javax.smartcardio.CardChannel;
-import javax.smartcardio.CardException;
 import javax.smartcardio.CardTerminal;
-import javax.smartcardio.ResponseAPDU;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import at.gv.egiz.smcc.ccid.CCID;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
 
 /**
  *
@@ -280,7 +277,7 @@ public class SWCard implements SignatureCard {
     
   }
 
-  public byte[] getInfobox(String infobox, PINProvider provider, String domainId) throws SignatureCardException {
+  public byte[] getInfobox(String infobox, PINGUI provider, String domainId) throws SignatureCardException {
     
     String fileName = getFileName(infobox + ".ibx");
     FileInputStream file;
@@ -309,7 +306,7 @@ public class SWCard implements SignatureCard {
   }
 
   @Override
-  public byte[] createSignature(InputStream input, KeyboxName keyboxName, PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException {
+  public byte[] createSignature(InputStream input, KeyboxName keyboxName, PINGUI provider, String alg) throws SignatureCardException, InterruptedException, IOException {
 
     // KeyStore password
     char[] password = getPassword(keyboxName);
@@ -396,101 +393,4 @@ public class SWCard implements SignatureCard {
   @Override
   public void reset() throws SignatureCardException {
   }
-
-  @Override
-  public CCID getReader() {
-    return new CCID() {
-
-      @Override
-      public boolean hasFeature(Byte feature) {
-        return false;
-      }
-
-      @Override
-      public byte getbTimeOut() {
-        return 0;
-      }
-
-      @Override
-      public byte getbTimeOut2() {
-        return 0;
-      }
-
-      @Override
-      public byte getwPINMaxExtraDigitL() {
-        return 0x12;
-      }
-
-      @Override
-      public byte getwPINMaxExtraDigitH() {
-        return 0x00;
-      }
-
-      @Override
-      public byte getbEntryValidationCondition() {
-        return 0x02;
-      }
-
-      @Override
-      public Card connect() {
-        return null;
-      }
-
-      @Override
-      public String getName() {
-        return "Software CardReader";
-      }
-
-      @Override
-      public byte[] verifyPin(byte[] PIN_VERIFY) throws CardException {
-        throw new UnsupportedOperationException("Not supported yet.");
-      }
-
-      @Override
-      public byte[] verifyPinDirect(byte[] PIN_VERIFY) throws CardException {
-        throw new UnsupportedOperationException("Not supported yet.");
-      }
-
-      @Override
-      public byte[] modifyPin(byte[] PIN_MODIFY) throws CardException {
-        throw new UnsupportedOperationException("Not supported yet.");
-      }
-
-      @Override
-      public byte[] modifyPinDirect(byte[] PIN_MODIFY) throws CardException {
-        throw new UnsupportedOperationException("Not supported yet.");
-      }
-
-      @Override
-      public void setDisablePinpad(boolean disable) {
-        throw new UnsupportedOperationException("Not supported yet.");
-      }
-
-      @Override
-      public ResponseAPDU verify(CardChannel channel, VerifyAPDUSpec apduSpec,
-          PINSpec pinSpec, PINProvider provider, int retries)
-          throws CancelledException, InterruptedException, CardException,
-          SignatureCardException {
-        throw new UnsupportedOperationException("Not supported yet.");
-      }
-
-      @Override
-      public ResponseAPDU activate(CardChannel channel,
-          NewReferenceDataAPDUSpec apduSpec, PINSpec pinSpec,
-          PINProvider provider) throws CancelledException,
-          InterruptedException, CardException, SignatureCardException {
-        // TODO Auto-generated method stub
-        return null;
-      }
-
-      @Override
-      public ResponseAPDU modify(CardChannel channel,
-          ChangeReferenceDataAPDUSpec apduSpec, PINSpec pinSpec,
-          ChangePINProvider provider, int retries) throws CancelledException,
-          InterruptedException, CardException, SignatureCardException {
-        // TODO Auto-generated method stub
-        return null;
-      }
-    };
-  }
 }
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
index 3d56f97b..fa589b84 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java
@@ -17,8 +17,7 @@
 
 package at.gv.egiz.smcc;
 
-import at.gv.egiz.smcc.ccid.CCID;
-
+import at.gv.egiz.smcc.pin.gui.PINGUI;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Locale;
@@ -99,7 +98,7 @@ public interface SignatureCard {
    * @throws SignatureCardException
    * @throws InterruptedException if applet is destroyed while in pin dialog
    */
-  public byte[] getInfobox(String infobox, PINProvider provider, String domainId)
+  public byte[] getInfobox(String infobox, PINGUI pinGUI, String domainId)
       throws SignatureCardException, InterruptedException;
 
   /**
@@ -114,9 +113,7 @@ public interface SignatureCard {
    * @throws IOException 
    */
   public byte[] createSignature(InputStream input, KeyboxName keyboxName,
-      PINProvider provider, String alg) throws SignatureCardException, InterruptedException, IOException;
-
-  public CCID getReader();
+      PINGUI pinGUI, String alg) throws SignatureCardException, InterruptedException, IOException;
 
   /**
    * Sets the local for evtl. required callbacks (e.g. PINSpec)
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/ModifyPINGUI.java b/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/ModifyPINGUI.java
new file mode 100644
index 00000000..00dc2d0e
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/ModifyPINGUI.java
@@ -0,0 +1,36 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+
+public interface ModifyPINGUI extends ModifyPINProvider {
+
+  void modifyPINDirect(PINSpec spec, int retries) throws CancelledException, InterruptedException;
+  void finishDirect();
+
+  void enterCurrentPIN(PINSpec spec, int retries);
+  void enterNewPIN(PINSpec spec);
+  void confirmNewPIN(PINSpec spec);
+  void validKeyPressed();
+  void correctionButtonPressed();
+  void allKeysCleared();
+  /** called prior to MODIFY_PIN_FINISH control command transmission (clear display or display wait message) */
+  void finish();
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/ModifyPINProvider.java b/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/ModifyPINProvider.java
new file mode 100644
index 00000000..36f0097d
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/ModifyPINProvider.java
@@ -0,0 +1,48 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+
+/**
+ * user interface for "software pin-entry" of
+ * <ul>
+ * <li> current pin and new pin (change pin)
+ * <li> new pin (pin activation, no current pin)
+ * <li> puk and new pin (probably verify only?)
+ * </ul>
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public interface ModifyPINProvider {
+
+  /**
+   *
+   * @param spec
+   * @param retries
+   * @return null if no old value for this pin
+   * @throws at.gv.egiz.smcc.CancelledException if cancelled by user
+   * @throws java.lang.InterruptedException
+   */
+  public char[] provideCurrentPIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException;
+
+  public char[] provideNewPIN(PINSpec spec)
+          throws CancelledException, InterruptedException;
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/PINGUI.java b/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/PINGUI.java
new file mode 100644
index 00000000..5199977b
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/PINGUI.java
@@ -0,0 +1,42 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+
+/**
+ * Display messages for pinpad pin-entry.
+ * Provides an interface for two types of pinpad pin-entry: pinpad-direct and pinpad-start/finish
+ * @author clemens.orthacker@iaik.tugraz.at
+ */
+public interface PINGUI extends PINProvider {
+
+  void enterPINDirect(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException;
+  
+  /**
+   * @throws CancelledException, InterruptedException if signature-data dialog is interrupted or cancelled
+   */
+  void enterPIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException;
+  void validKeyPressed();
+  void correctionButtonPressed();
+  void allKeysCleared();
+  
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/PINProvider.java b/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/PINProvider.java
new file mode 100644
index 00000000..3bf49888
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/pin/gui/PINProvider.java
@@ -0,0 +1,49 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+
+/**
+ * The number of retries is not fixed and there is no way (?) to obtain this value.
+ * A PINProvider should therefore maintain an internal retry counter or flag
+ * to decide whether or not to warn the user (num retries passed in providePIN).
+ *
+ * Therefore PINProvider objects should not be reused.
+ *
+ * (ACOS: reload counter: between 0 and 15, where 15 meens deactivated)
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public interface PINProvider {
+
+  /**
+   *
+   * @param spec
+   * @param retries num of remaining retries or -1 if unknown
+   * (a positive value does <em>not</em> necessarily signify that there was
+   * already an unsuccessful PIN verification)
+   * @return pin != null
+   * @throws at.gv.egiz.smcc.CancelledException
+   * @throws java.lang.InterruptedException
+   */
+  char[] providePIN(PINSpec pinSpec, int retries)
+          throws CancelledException, InterruptedException;
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/reader/CardReader.java b/smcc/src/main/java/at/gv/egiz/smcc/reader/CardReader.java
new file mode 100644
index 00000000..a1246dd6
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/reader/CardReader.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.reader;
+
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+import javax.smartcardio.ResponseAPDU;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.ChangeReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.NewReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.ResetRetryCounterAPDUSpec;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.VerifyAPDUSpec;
+import at.gv.egiz.smcc.pin.gui.ModifyPINGUI;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
+import javax.smartcardio.Card;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public interface CardReader {
+
+
+  String[] FEATURES = new String[]{"NO_FEATURE",
+    "FEATURE_VERIFY_PIN_START",
+    "FEATURE_VERIFY_PIN_FINISH",
+    "FEATURE_MODIFY_PIN_START",
+    "FEATURE_MODIFY_PIN_FINISH",
+    "FEATURE_GET_KEY_PRESSED",
+    "FEATURE_VERIFY_PIN_DIRECT",
+    "FEATURE_MODIFY_PIN_DIRECT",
+    "FEATURE_MCT_READER_DIRECT",
+    "FEATURE_MCT_UNIVERSAL",
+    "FEATURE_IFD_PIN_PROPERTIES",
+    "FEATURE_ABORT",
+    "FEATURE_SET_SPE_MESSAGE",
+    "FEATURE_VERIFY_PIN_DIRECT_APP_ID",
+    "FEATURE_MODIFY_PIN_DIRECT_APP_ID",
+    "FEATURE_WRITE_DISPLAY",
+    "FEATURE_GET_KEY",
+    "FEATURE_IFD_DISPLAY_PROPERTIES"};
+
+  Byte FEATURE_VERIFY_PIN_START = new Byte((byte) 0x01);
+  Byte FEATURE_VERIFY_PIN_FINISH = new Byte((byte) 0x02);
+  Byte FEATURE_MODIFY_PIN_START = new Byte((byte) 0x03);
+  Byte FEATURE_MODIFY_PIN_FINISH = new Byte((byte) 0x04);
+  Byte FEATURE_GET_KEY_PRESSED = new Byte((byte) 0x05);
+  Byte FEATURE_VERIFY_PIN_DIRECT = new Byte((byte) 0x06);
+  Byte FEATURE_MODIFY_PIN_DIRECT = new Byte((byte) 0x07);
+  Byte FEATURE_MCT_READER_DIRECT = new Byte((byte) 0x08);
+  Byte FEATURE_MCT_UNIVERSAL = new Byte((byte) 0x09);
+  Byte FEATURE_IFD_PIN_PROPERTIES = new Byte((byte) 0x0a);
+  //TODO continue list
+
+
+  Card connect() throws CardException;
+
+  boolean hasFeature(Byte feature);
+
+  ResponseAPDU verify(CardChannel channel, VerifyAPDUSpec apduSpec,
+          PINGUI pinGUI, PINSpec pinSpec, int retries)
+      throws CancelledException, InterruptedException, CardException, SignatureCardException;
+
+  ResponseAPDU modify(CardChannel channel, ChangeReferenceDataAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec, int retries)
+      throws CancelledException, InterruptedException, CardException, SignatureCardException;
+
+  ResponseAPDU modify(CardChannel channel, NewReferenceDataAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec)
+      throws CancelledException, InterruptedException, CardException, SignatureCardException;
+
+  ResponseAPDU modify(CardChannel channel, ResetRetryCounterAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec, int retries)
+      throws CancelledException, InterruptedException, CardException, SignatureCardException;
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/reader/DefaultCardReader.java b/smcc/src/main/java/at/gv/egiz/smcc/reader/DefaultCardReader.java
new file mode 100644
index 00000000..45ea7a5a
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/reader/DefaultCardReader.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.reader;
+
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CardTerminal;
+import javax.smartcardio.ResponseAPDU;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import at.gv.egiz.smcc.ChangeReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.NewReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.ResetRetryCounterAPDUSpec;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.VerifyAPDUSpec;
+import at.gv.egiz.smcc.pin.gui.ModifyPINGUI;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
+import at.gv.egiz.smcc.util.ISO7816Utils;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class DefaultCardReader implements CardReader {
+
+  protected final static Log log = LogFactory.getLog(DefaultCardReader.class);
+
+  protected CardTerminal ct;
+  protected String name;
+
+  public DefaultCardReader(CardTerminal ct) {
+    if (ct == null) {
+      throw new NullPointerException("no card or card terminal provided");
+    }
+    this.ct = ct;
+    this.name = ct.getName();
+  }
+
+  @Override
+  public ResponseAPDU verify(CardChannel channel, VerifyAPDUSpec apduSpec,
+          PINGUI pinGUI, PINSpec pinSpec, int retries)
+        throws SignatureCardException, CardException, InterruptedException {
+
+    log.debug("VERIFY");
+    return channel.transmit(ISO7816Utils.createVerifyAPDU(apduSpec, pinGUI.providePIN(pinSpec, retries)));
+  }
+
+  @Override
+  public ResponseAPDU modify(CardChannel channel, ChangeReferenceDataAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec, int retries)
+        throws SignatureCardException, CardException, InterruptedException {
+    log.debug("MODIFY (CHANGE_REFERENCE_DATA)");
+    char[] oldPin = pinGUI.provideCurrentPIN(pinSpec, retries);
+    char[] newPin = pinGUI.provideNewPIN(pinSpec);
+    return channel.transmit(ISO7816Utils.createChangeReferenceDataAPDU(apduSpec, oldPin, newPin));
+  }
+
+  @Override
+  public ResponseAPDU modify(CardChannel channel, NewReferenceDataAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec)
+        throws SignatureCardException, CardException, InterruptedException {
+    log.debug("MODIFY (NEW_REFERENCE_DATA)");
+    char[] newPIN = pinGUI.provideNewPIN(pinSpec);
+    return channel.transmit(ISO7816Utils.createNewReferenceDataAPDU(apduSpec, newPIN));
+  }
+
+  @Override
+  public ResponseAPDU modify(CardChannel channel, ResetRetryCounterAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec, int retries)
+          throws InterruptedException, CardException, SignatureCardException {
+    log.debug("MODIFY (RESET_RETRY_COUNTER)");
+    //TODO
+    return modify(channel, (ChangeReferenceDataAPDUSpec) apduSpec, pinGUI, pinSpec, retries);
+  }
+
+  @Override
+  public Card connect() throws CardException {
+    log.debug("connect icc");
+    return ct.connect("*");
+  }
+
+  @Override
+  public boolean hasFeature(Byte feature) {
+    return false;
+  }
+
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/reader/PinpadCardReader.java b/smcc/src/main/java/at/gv/egiz/smcc/reader/PinpadCardReader.java
new file mode 100644
index 00000000..c2537af8
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/reader/PinpadCardReader.java
@@ -0,0 +1,703 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.reader;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Map;
+
+import javax.smartcardio.Card;
+import javax.smartcardio.CardChannel;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CardTerminal;
+import javax.smartcardio.ResponseAPDU;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.ChangeReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.NewReferenceDataAPDUSpec;
+import at.gv.egiz.smcc.PINConfirmationException;
+import at.gv.egiz.smcc.PINFormatException;
+import at.gv.egiz.smcc.PINOperationAbortedException;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.ResetRetryCounterAPDUSpec;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.TimeoutException;
+import at.gv.egiz.smcc.VerifyAPDUSpec;
+import at.gv.egiz.smcc.pin.gui.ModifyPINGUI;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
+import at.gv.egiz.smcc.util.SMCCHelper;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class PinpadCardReader extends DefaultCardReader {
+
+  public static final int PIN_ENTRY_POLLING_INTERVAL = 10;
+
+  protected final static Log log = LogFactory.getLog(PinpadCardReader.class);
+
+  protected byte bEntryValidationCondition = 0x02;  // validation key pressed
+  protected byte bTimeOut = 0x3c;                   // 60sec (= max on ReinerSCT)
+  protected byte bTimeOut2 = 0x00;                  // default (attention with SCM)
+  protected byte wPINMaxExtraDigitH = 0x00;         // min pin length zero digits
+  protected byte wPINMaxExtraDigitL = 0x0c;         // max pin length 12 digits
+
+  /**
+   * supported features and respective control codes
+   */
+  protected Map<Byte, Integer> features;
+  protected boolean VERIFY, MODIFY, VERIFY_DIRECT, MODIFY_DIRECT;
+
+  public PinpadCardReader(CardTerminal ct, Map<Byte, Integer> features) {
+    super(ct);
+    if (features == null) {
+      throw new NullPointerException("Pinpad card reader does not support any features");
+    }
+    this.features = features;
+
+    if (features.containsKey(FEATURE_VERIFY_PIN_START) &&
+        features.containsKey(FEATURE_GET_KEY_PRESSED) &&
+        features.containsKey(FEATURE_VERIFY_PIN_FINISH)) {
+      VERIFY = true;
+    }
+    if (features.containsKey(FEATURE_MODIFY_PIN_START) &&
+        features.containsKey(FEATURE_GET_KEY_PRESSED) &&
+        features.containsKey(FEATURE_MODIFY_PIN_FINISH)) {
+      MODIFY = true;
+    }
+    if (features.containsKey(FEATURE_VERIFY_PIN_DIRECT)) {
+      VERIFY_DIRECT = true;
+    }
+    if (features.containsKey(FEATURE_MODIFY_PIN_DIRECT)) {
+      MODIFY_DIRECT = true;
+    }
+
+    if (name != null) {
+      name = name.toLowerCase();
+      //ReinerSCT: http://support.reiner-sct.de/downloads/LINUX
+      //           http://www.linux-club.de/viewtopic.php?f=61&t=101287&start=0
+      //old: REINER SCT CyberJack 00 00
+      //new (CCID): 0C4B/0300 Reiner-SCT cyberJack pinpad(a) 00 00
+      //Snow Leopard: Reiner-SCT cyberJack pinpad(a) 00 00
+      //display: REINER SCT CyberJack 00 00
+      if(name.startsWith("gemplus gempc pinpad") || name.startsWith("gemalto gempc pinpad")) {
+        log.debug("setting custom wPINMaxExtraDigitH (0x04) for " + name);
+        wPINMaxExtraDigitH = 0x04;
+        log.debug("setting custom wPINMaxExtraDigitL (0x08) for " + name);
+        wPINMaxExtraDigitL = 0x08;
+      } else if (name.startsWith("omnikey cardman 3621")) {
+        log.debug("setting custom wPINMaxExtraDigitH (0x01) for " + name);
+        wPINMaxExtraDigitH = 0x01;
+      } else if (name.startsWith("scm spr 532") || name.startsWith("scm microsystems inc. sprx32 usb smart card reader")) {
+        log.debug("setting custom bTimeOut (0x3c) for " + name);
+        bTimeOut = 0x3c;
+        log.debug("setting custom bTimeOut2 (0x0f) for " + name);
+        bTimeOut2 = 0x0f;
+      } else if (name.startsWith("cherry smartboard xx44")) {
+        log.debug("setting custom wPINMaxExtraDigitH (0x01) for " + name);
+        wPINMaxExtraDigitH = 0x01;
+      }
+    }
+
+  }
+
+  @Override
+  public boolean hasFeature(Byte feature) {
+    return features.containsKey(feature);
+  }
+  
+  private void VERIFY_PIN_START(Card icc, byte[] PIN_VERIFY) throws CardException {
+    int ioctl = features.get(FEATURE_VERIFY_PIN_START);
+    if (log.isTraceEnabled()) {
+      log.trace("VERIFY_PIN_START (" + Integer.toHexString(ioctl) +
+              ")  " + SMCCHelper.toString(PIN_VERIFY));
+    }
+    byte[] resp = icc.transmitControlCommand(ioctl, PIN_VERIFY);
+    if (resp != null && resp.length > 0) {
+      if (resp[0] == (byte) 0x57) {
+        log.error("Invalid parameter in PIN_VERIFY structure");
+        throw new CardException("ERROR_INVALID_PARAMETER");
+      } else {
+        log.error("unexpected response to VERIFY_PIN_START: " +
+                SMCCHelper.toString(resp));
+        throw new CardException("unexpected response to VERIFY_PIN_START: " +
+                SMCCHelper.toString(resp));
+      }
+    }
+  }
+
+  private byte GET_KEY_PRESSED(Card icc) throws CardException {
+    int ioctl = features.get(FEATURE_GET_KEY_PRESSED);
+    byte[] resp = icc.transmitControlCommand(ioctl, new byte[0]);
+    if (resp != null && resp.length == 1) {
+//      if (log.isTraceEnabled()) {
+//        log.trace("response " + SMCCHelper.toString(resp));
+//      }
+      return resp[0];
+    }
+    log.error("unexpected response to GET_KEY_PRESSED: " +
+            SMCCHelper.toString(resp));
+    throw new CardException("unexpected response to GET_KEY_PRESSED: " +
+            SMCCHelper.toString(resp));
+  }
+
+  private byte[] VERIFY_PIN_FINISH(Card icc) throws CardException {
+    int ioctl = features.get(FEATURE_VERIFY_PIN_FINISH);
+    if (log.isTraceEnabled()) {
+      log.trace("VERIFY_PIN_FINISH (" + Integer.toHexString(ioctl) + ")");
+    }
+    byte[] resp = icc.transmitControlCommand(ioctl, new byte[0]);
+    if (resp != null && resp.length == 2) {
+      if (log.isTraceEnabled()) {
+        log.trace("response " + SMCCHelper.toString(resp));
+      }
+      return resp;
+    }
+    log.error("unexpected response to VERIFY_PIN_FINISH: " +
+            SMCCHelper.toString(resp));
+    throw new CardException("unexpected response to VERIFY_PIN_FINISH: " +
+            SMCCHelper.toString(resp));
+  }
+
+  private void MODIFY_PIN_START(Card icc, byte[] PIN_MODIFY) throws CardException {
+    int ioctl = features.get(FEATURE_MODIFY_PIN_START);
+    if (log.isTraceEnabled()) {
+      log.trace("MODFIY_PIN_START (" + Integer.toHexString(ioctl) +
+              ")  " + SMCCHelper.toString(PIN_MODIFY));
+    }
+    byte[] resp = icc.transmitControlCommand(ioctl, PIN_MODIFY);
+    if (resp != null && resp.length > 0) {
+      if (resp[0] == (byte) 0x57) {
+        log.error("Invalid parameter in PIN_MODIFY structure");
+        throw new CardException("ERROR_INVALID_PARAMETER");
+      } else {
+        log.error("unexpected response to MODIFY_PIN_START: " +
+                SMCCHelper.toString(resp));
+        throw new CardException("unexpected response to MODIFY_PIN_START: " +
+                SMCCHelper.toString(resp));
+      }
+    }
+  }
+
+  private byte[] MODIFY_PIN_FINISH(Card icc) throws CardException {
+    int ioctl = features.get(FEATURE_MODIFY_PIN_FINISH);
+    if (log.isTraceEnabled()) {
+      log.trace("MODIFY_PIN_FINISH (" + Integer.toHexString(ioctl) + ")");
+    }
+    byte[] resp = icc.transmitControlCommand(ioctl, new byte[0]);
+    if (resp != null && resp.length == 2) {
+      if (log.isTraceEnabled()) {
+        log.trace("response " + SMCCHelper.toString(resp));
+      }
+      return resp;
+    }
+    log.error("unexpected response to MODIFY_PIN_FINISH: " +
+            SMCCHelper.toString(resp));
+    throw new CardException("unexpected response to MODIFY_PIN_FINISH: " +
+            SMCCHelper.toString(resp));
+  }
+
+  private byte[] VERIFY_PIN_DIRECT(Card icc, byte[] PIN_VERIFY) throws CardException {
+    int ioctl = features.get(FEATURE_VERIFY_PIN_DIRECT);
+    if (log.isTraceEnabled()) {
+      log.trace("VERIFY_PIN_DIRECT (" + Integer.toHexString(ioctl) +
+              ")  " + SMCCHelper.toString(PIN_VERIFY));
+    }
+    byte[] resp = icc.transmitControlCommand(ioctl, PIN_VERIFY);
+    if (log.isTraceEnabled()) {
+      log.trace("response " + SMCCHelper.toString(resp));
+    }
+    return resp;
+  }
+
+  private byte[] verifyPin(Card icc, byte[] PIN_VERIFY, PINGUI pinGUI) 
+          throws SignatureCardException, CardException, InterruptedException {
+
+//    pinGUI.enterPIN(pinSpec, retries);
+
+    log.debug("VERIFY_PIN_START [" + FEATURES[FEATURE_VERIFY_PIN_START] + "]");
+    VERIFY_PIN_START(icc, PIN_VERIFY);
+
+    byte resp;
+    do {
+      resp = GET_KEY_PRESSED(icc);
+      if (resp == (byte) 0x00) {
+        synchronized(this) {
+          try {
+            wait(PIN_ENTRY_POLLING_INTERVAL);
+          } catch (InterruptedException ex) {
+            log.error("interrupted in VERIFY_PIN");
+          }
+        }
+      } else if (resp == (byte) 0x0d) {
+        log.debug("GET_KEY_PRESSED: 0x0d (user confirmed)");
+        break;
+      } else if (resp == (byte) 0x2b) {
+        log.trace("GET_KEY_PRESSED: 0x2b (user entered valid key 0-9)");
+        pinGUI.validKeyPressed();
+      } else if (resp == (byte) 0x1b) {
+        log.debug("GET_KEY_PRESSED: 0x1b (user cancelled VERIFY_PIN via cancel button)");
+        break; // returns 0x6401
+      } else if (resp == (byte) 0x08) {
+        log.debug("GET_KEY_PRESSED: 0x08 (user pressed correction/backspace button)");
+        pinGUI.correctionButtonPressed();
+      } else if (resp == (byte) 0x0e) {
+        log.debug("GET_KEY_PRESSED: 0x0e (timeout occured)");
+        break; // return 0x6400
+      } else if (resp == (byte) 0x40) {
+        log.debug("GET_KEY_PRESSED: 0x40 (PIN_Operation_Aborted)");
+        throw new PINOperationAbortedException("PIN_Operation_Aborted (0x40)");
+      } else if (resp == (byte) 0x0a) {
+        log.debug("GET_KEY_PRESSED: 0x0a (all keys cleared");
+        pinGUI.allKeysCleared();
+      } else {
+        log.error("unexpected response to GET_KEY_PRESSED: " +
+            Integer.toHexString(resp));
+        throw new CardException("unexpected response to GET_KEY_PRESSED: " +
+            Integer.toHexString(resp));
+      }
+    } while (true); 
+
+    return VERIFY_PIN_FINISH(icc);
+  }
+
+  /**
+   * does not display the first pin dialog (enterCurrentPIN or enterNewPIN, depends on bConfirmPIN),
+   * since this is easier to do in calling modify()
+   */
+  private byte[] modifyPin(Card icc, byte[] PIN_MODIFY, ModifyPINGUI pinGUI, PINSpec pINSpec)
+          throws PINOperationAbortedException, CardException {
+
+    byte pinConfirmations = (byte) 0x00; //b0: new pin not entered (0) / entered (1)
+                                         //b1: current pin not entered (0) / entered (1)
+    byte bConfirmPIN = PIN_MODIFY[9];
+    
+//    if ((bConfirmPIN & (byte) 0x02) == 0) {
+//      log.debug("no current PIN entry requested");
+//      pinGUI.enterNewPIN(pINSpec);
+//    } else {
+//      log.debug("current PIN entry requested");
+//      pinGUI.enterCurrentPIN(pINSpec, retries);
+//    }
+
+    log.debug("MODIFY_PIN_START [" + FEATURES[FEATURE_MODIFY_PIN_START] + "]");
+    MODIFY_PIN_START(icc, PIN_MODIFY);
+
+    byte resp;
+    while (true) {
+      resp = GET_KEY_PRESSED(icc);
+      if (resp == (byte) 0x00) {
+        synchronized(this) {
+          try {
+            wait(PIN_ENTRY_POLLING_INTERVAL);
+          } catch (InterruptedException ex) {
+            log.error("interrupted in MODIFY_PIN");
+          }
+        }
+      } else if (resp == (byte) 0x0d) {
+        if (log.isTraceEnabled()) {
+          log.trace("requested pin confirmations: 0b" + Integer.toBinaryString(bConfirmPIN & 0xff));
+          log.trace("performed pin confirmations: 0b" + Integer.toBinaryString(pinConfirmations & 0xff));
+        }
+        log.debug("GET_KEY_PRESSED: 0x0d (user confirmed)");
+        if (pinConfirmations == bConfirmPIN) {
+          break;
+        } else if ((bConfirmPIN & (byte) 0x02) == 0 ||
+            (pinConfirmations & (byte) 0x02) == (byte) 0x02) {
+          // no current pin entry or current pin entry already performed
+          if ((pinConfirmations & (byte) 0x01) == 0) {
+            // new pin
+            pinConfirmations |= (byte) 0x01;
+            pinGUI.confirmNewPIN(pINSpec);
+          } // else: new pin confirmed
+        } else {
+          // current pin entry
+          pinConfirmations |= (byte) 0x02;
+          pinGUI.enterNewPIN(pINSpec);
+        }
+      } else if (resp == (byte) 0x2b) {
+        log.trace("GET_KEY_PRESSED: 0x2b (user entered valid key 0-9)");
+        pinGUI.validKeyPressed();
+      } else if (resp == (byte) 0x1b) {
+        log.debug("GET_KEY_PRESSED: 0x1b (user cancelled VERIFY_PIN via cancel button)");
+        break; // returns 0x6401
+      } else if (resp == (byte) 0x08) {
+        log.debug("GET_KEY_PRESSED: 0x08 (user pressed correction/backspace button)");
+        pinGUI.correctionButtonPressed();
+      } else if (resp == (byte) 0x0e) {
+        log.debug("GET_KEY_PRESSED: 0x0e (timeout occured)");
+        break; // return 0x6400
+      } else if (resp == (byte) 0x40) {
+        log.debug("GET_KEY_PRESSED: 0x40 (PIN_Operation_Aborted)");
+        throw new PINOperationAbortedException("PIN_Operation_Aborted (0x40)");
+      } else if (resp == (byte) 0x0a) {
+        log.debug("GET_KEY_PRESSED: 0x0a (all keys cleared");
+        pinGUI.allKeysCleared();
+      } else {
+        log.error("unexpected response to GET_KEY_PRESSED: " +
+            Integer.toHexString(resp));
+        throw new CardException("unexpected response to GET_KEY_PRESSED: " +
+            Integer.toHexString(resp));
+      }
+
+    }
+
+    pinGUI.finish();
+    return MODIFY_PIN_FINISH(icc);
+  }
+
+  private byte[] MODIFY_PIN_DIRECT(Card icc, byte[] PIN_MODIFY) throws CardException {
+    int ioctl = features.get(FEATURE_MODIFY_PIN_DIRECT);
+    if (log.isTraceEnabled()) {
+      log.trace("MODIFY_PIN_DIRECT (" + Integer.toHexString(ioctl) +
+              ")  " + SMCCHelper.toString(PIN_MODIFY));
+    }
+    byte[] resp = icc.transmitControlCommand(ioctl, PIN_MODIFY);
+    if (log.isTraceEnabled()) {
+      log.trace("response " + SMCCHelper.toString(resp));
+    }
+    return resp;
+  }
+  
+  protected byte[] createPINModifyStructure(NewReferenceDataAPDUSpec apduSpec, PINSpec pinSpec) {
+
+    ByteArrayOutputStream s = new ByteArrayOutputStream();
+    // bTimeOut
+    s.write(bTimeOut);
+    // bTimeOut2
+    s.write(bTimeOut2);
+    // bmFormatString
+    s.write(1 << 7 // system unit = byte
+        | (0xF & apduSpec.getPinPosition()) << 3
+        | (0x1 & apduSpec.getPinJustification() << 2)
+        | (0x3 & apduSpec.getPinFormat()));
+    // bmPINBlockString
+    s.write((0xF & apduSpec.getPinLengthSize()) << 4
+        | (0xF & apduSpec.getPinLength()));
+    // bmPINLengthFormat
+    s.write(// system unit = bit
+        (0xF & apduSpec.getPinLengthPos()));
+    // bInsertionOffsetOld
+    s.write(0x00);
+    // bInsertionOffsetNew
+    s.write(apduSpec.getPinInsertionOffsetNew());
+    // wPINMaxExtraDigit
+    s.write(Math.min(pinSpec.getMaxLength(), wPINMaxExtraDigitL));
+    s.write(Math.max(pinSpec.getMinLength(), wPINMaxExtraDigitH));
+    // bConfirmPIN
+    s.write(0x01);
+    // bEntryValidationCondition
+    s.write(bEntryValidationCondition);
+    // bNumberMessage
+    s.write(0x02);
+    // wLangId English (United States), see http://www.usb.org/developers/docs/USB_LANGIDs.pdf
+    s.write(0x09);
+    s.write(0x04);
+    // bMsgIndex1
+    s.write(0x01);
+    // bMsgIndex2
+    s.write(0x02);
+    // bMsgIndex3
+    s.write(0x00);
+
+    // bTeoPrologue
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // ulDataLength
+    s.write(apduSpec.getApdu().length);
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // abData
+    try {
+      s.write(apduSpec.getApdu());
+    } catch (IOException e) {
+      // As we are dealing with ByteArrayOutputStreams no exception is to be
+      // expected.
+      throw new RuntimeException(e);
+    }
+
+    return s.toByteArray();
+
+  }
+  
+  protected byte[] createPINModifyStructure(ChangeReferenceDataAPDUSpec apduSpec, PINSpec pinSpec) {
+    //TODO bInsertionOffsetOld (0x00), bConfirmPIN (0x01), bNumberMessage (0x02), bMsgIndex1/2/3
+
+    ByteArrayOutputStream s = new ByteArrayOutputStream();
+    // bTimeOut
+    s.write(bTimeOut);
+    // bTimeOut2
+    s.write(bTimeOut2);
+    // bmFormatString
+    s.write(1 << 7 // system unit = byte
+        | (0xF & apduSpec.getPinPosition()) << 3
+        | (0x1 & apduSpec.getPinJustification() << 2)
+        | (0x3 & apduSpec.getPinFormat()));
+    // bmPINBlockString
+    s.write((0xF & apduSpec.getPinLengthSize()) << 4
+        | (0xF & apduSpec.getPinLength()));
+    // bmPINLengthFormat
+    s.write(// system unit = bit
+        (0xF & apduSpec.getPinLengthPos()));
+    // bInsertionOffsetOld (0x00 for no old pin?)
+    s.write(apduSpec.getPinInsertionOffsetOld());
+    // bInsertionOffsetNew
+    s.write(apduSpec.getPinInsertionOffsetNew());
+    // wPINMaxExtraDigit
+    s.write(Math.min(pinSpec.getMaxLength(), wPINMaxExtraDigitL));
+    s.write(Math.max(pinSpec.getMinLength(), wPINMaxExtraDigitH));
+    // bConfirmPIN
+    s.write(0x03);
+    // bEntryValidationCondition
+    s.write(bEntryValidationCondition);
+    // bNumberMessage
+    s.write(0x03);
+    // wLangId English (United States), see http://www.usb.org/developers/docs/USB_LANGIDs.pdf
+    s.write(0x09);
+    s.write(0x04);
+    // bMsgIndex1
+    s.write(0x00);
+    // bMsgIndex2
+    s.write(0x01);
+    // bMsgIndex3
+    s.write(0x02);
+    
+    // bTeoPrologue
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // ulDataLength
+    s.write(apduSpec.getApdu().length);
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // abData
+    try {
+      s.write(apduSpec.getApdu());
+    } catch (IOException e) {
+      // As we are dealing with ByteArrayOutputStreams no exception is to be
+      // expected.
+      throw new RuntimeException(e);
+    }
+    
+    return s.toByteArray();
+
+  }
+  
+  protected byte[] createPINVerifyStructure(VerifyAPDUSpec apduSpec, PINSpec pinSpec) {
+    
+    ByteArrayOutputStream s = new ByteArrayOutputStream();
+    // bTimeOut
+    s.write(bTimeOut);
+    // bTimeOut2
+    s.write(bTimeOut2);
+    // bmFormatString
+    s.write(1 << 7 // system unit = byte
+        | (0xF & apduSpec.getPinPosition()) << 3
+        | (0x1 & apduSpec.getPinJustification() << 2)
+        | (0x3 & apduSpec.getPinFormat()));
+    // bmPINBlockString
+    s.write((0xF & apduSpec.getPinLengthSize()) << 4
+        | (0xF & apduSpec.getPinLength()));
+    // bmPINLengthFormat
+    s.write(// system unit = bit
+        (0xF & apduSpec.getPinLengthPos()));
+    // wPINMaxExtraDigit
+    s.write(Math.min(pinSpec.getMaxLength(), wPINMaxExtraDigitL)); // max PIN length
+    s.write(Math.max(pinSpec.getMinLength(), wPINMaxExtraDigitH)); // min PIN length
+    // bEntryValidationCondition
+    s.write(bEntryValidationCondition);
+    // bNumberMessage
+    s.write(0x01);
+    // wLangId
+    s.write(0x09);
+    s.write(0x04);
+    // bMsgIndex
+    s.write(0x00);
+    // bTeoPrologue
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // ulDataLength
+    s.write(apduSpec.getApdu().length);
+    s.write(0x00);
+    s.write(0x00);
+    s.write(0x00);
+    // abData
+    try {
+      s.write(apduSpec.getApdu());
+    } catch (IOException e) {
+      // As we are dealing with ByteArrayOutputStreams no exception is to be
+      // expected.
+      throw new RuntimeException(e);
+    }
+    
+    return s.toByteArray();
+    
+  }
+
+  @Override
+  public ResponseAPDU verify(CardChannel channel, VerifyAPDUSpec apduSpec,
+          PINGUI pinGUI, PINSpec pinSpec, int retries)
+        throws SignatureCardException, CardException, InterruptedException {
+
+    ResponseAPDU resp = null;
+
+    byte[] s = createPINVerifyStructure(apduSpec, pinSpec);
+    Card icc = channel.getCard();
+
+    if (VERIFY) {
+      pinGUI.enterPIN(pinSpec, retries);
+      resp = new ResponseAPDU(verifyPin(icc, s, pinGUI));
+    } else if (VERIFY_DIRECT) {
+      pinGUI.enterPINDirect(pinSpec, retries);
+      log.debug("VERIFY_PIN_DIRECT [" + FEATURES[FEATURE_VERIFY_PIN_DIRECT] + "]");
+      resp = new ResponseAPDU(VERIFY_PIN_DIRECT(icc, s));
+    } else {
+      log.warn("falling back to default pin-entry");
+      return super.verify(channel, apduSpec, pinGUI, pinSpec, retries);
+    }
+
+    switch (resp.getSW()) {
+      case 0x6400:
+        log.debug("SPE operation timed out.");
+        throw new TimeoutException();
+      case 0x6401:
+        log.debug("SPE operation was cancelled by the 'Cancel' button.");
+        throw new CancelledException();
+      case 0x6403:
+          log.debug("User entered too short or too long PIN "
+              + "regarding MIN/MAX PIN length.");
+          throw new PINFormatException();
+      case 0x6480:
+        log.debug("SPE operation was aborted by the 'Cancel' operation "
+            + "at the host system.");
+      case 0x6b80:
+        log.info("Invalid parameter in passed structure.");
+      default:
+        return resp;
+    }
+  }
+
+  @Override
+  public ResponseAPDU modify(CardChannel channel, ChangeReferenceDataAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec, int retries)
+        throws SignatureCardException, CardException, InterruptedException {
+    
+    ResponseAPDU resp = null;
+
+    byte[] s = createPINModifyStructure(apduSpec, pinSpec);
+    Card icc = channel.getCard();
+    
+    if (MODIFY) {
+      pinGUI.enterCurrentPIN(pinSpec, retries);
+      resp = new ResponseAPDU(modifyPin(icc, s, pinGUI, pinSpec));
+    } else if (MODIFY_DIRECT) {
+      pinGUI.modifyPINDirect(pinSpec, retries);
+      log.debug("MODIFY_PIN_DIRECT [" + FEATURES[FEATURE_MODIFY_PIN_DIRECT] + "]");
+      resp = new ResponseAPDU(MODIFY_PIN_DIRECT(icc, s));
+    } else {
+      log.warn("falling back to default pin-entry");
+      return super.modify(channel, apduSpec, pinGUI, pinSpec, retries);
+    }
+
+    switch (resp.getSW()) {
+      case 0x6400:
+        log.debug("SPE operation timed out.");
+        throw new TimeoutException();
+      case 0x6401:
+        log.debug("SPE operation was cancelled by the 'Cancel' button.");
+        throw new CancelledException();
+      case 0x6402:
+        log.debug("Modify PIN operation failed because two 'new PIN' " +
+                "entries do not match");
+        throw new PINConfirmationException();
+      case 0x6403:
+        log.debug("User entered too short or too long PIN "
+              + "regarding MIN/MAX PIN length.");
+        throw new PINFormatException();
+      case 0x6480:
+        log.debug("SPE operation was aborted by the 'Cancel' operation "
+            + "at the host system.");
+      case 0x6b80:
+        log.info("Invalid parameter in passed structure.");
+      default:
+        return resp;
+    }
+  }
+
+  @Override
+  public ResponseAPDU modify(CardChannel channel, NewReferenceDataAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec)
+        throws SignatureCardException, CardException, InterruptedException {
+
+    ResponseAPDU resp = null;
+
+    byte[] s = createPINModifyStructure(apduSpec, pinSpec);
+    Card icc = channel.getCard();
+
+    if (MODIFY) {
+      pinGUI.enterNewPIN(pinSpec);
+      resp = new ResponseAPDU(modifyPin(icc, s, pinGUI, pinSpec));
+    } else if (MODIFY_DIRECT) {
+      pinGUI.modifyPINDirect(pinSpec, -1);
+      log.debug("MODIFY_PIN_DIRECT [" + FEATURES[FEATURE_MODIFY_PIN_DIRECT] + "]");
+      resp = new ResponseAPDU(MODIFY_PIN_DIRECT(icc, s));
+    } else {
+      log.warn("falling back to default pin-entry");
+      return super.modify(channel, apduSpec, pinGUI, pinSpec);
+    }
+
+    switch (resp.getSW()) {
+      case 0x6400:
+        log.debug("SPE operation timed out.");
+        throw new TimeoutException();
+      case 0x6401:
+        log.debug("SPE operation was cancelled by the 'Cancel' button.");
+        throw new CancelledException();
+      case 0x6402:
+        log.debug("Modify PIN operation failed because two 'new PIN' " +
+                "entries do not match");
+        throw new PINConfirmationException();
+      case 0x6403:
+        log.debug("User entered too short or too long PIN "
+              + "regarding MIN/MAX PIN length.");
+        throw new PINFormatException();
+      case 0x6480:
+        log.debug("SPE operation was aborted by the 'Cancel' operation "
+            + "at the host system.");
+      case 0x6b80:
+        log.info("Invalid parameter in passed structure.");
+      default:
+        return resp;
+    }
+  }
+
+  @Override
+  public ResponseAPDU modify(CardChannel channel, ResetRetryCounterAPDUSpec apduSpec,
+          ModifyPINGUI pinGUI, PINSpec pinSpec, int retries)
+          throws InterruptedException, CardException, SignatureCardException {
+    //TODO
+    return modify(channel, (ChangeReferenceDataAPDUSpec) apduSpec, pinGUI, pinSpec, retries);
+  }
+}
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/reader/ReaderFactory.java b/smcc/src/main/java/at/gv/egiz/smcc/reader/ReaderFactory.java
new file mode 100644
index 00000000..eb197d9f
--- /dev/null
+++ b/smcc/src/main/java/at/gv/egiz/smcc/reader/ReaderFactory.java
@@ -0,0 +1,128 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package at.gv.egiz.smcc.reader;
+
+import at.gv.egiz.smcc.conf.SMCCConfiguration;
+import at.gv.egiz.smcc.util.SMCCHelper;
+import java.util.HashMap;
+import java.util.Map;
+import javax.smartcardio.Card;
+import javax.smartcardio.CardException;
+import javax.smartcardio.CardTerminal;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class ReaderFactory {
+
+  protected final static Log log = LogFactory.getLog(ReaderFactory.class);
+  
+  protected SMCCConfiguration configuration;
+
+  private ReaderFactory() {
+  }
+
+  /**
+   * @param configuration the configuration to set
+   */
+  public void setConfiguration(SMCCConfiguration configuration) {
+    this.configuration = configuration;
+  }
+
+  public static CardReader getReader(Card icc, CardTerminal ct) {
+
+    String name = ct.getName();
+    log.info("creating reader " + name);
+
+    Map<Byte, Integer> features = queryFeatures(icc);
+    boolean disablePinpad = false;
+    CardReader reader;
+
+        //TODO query application context for reader config
+//    if (configuration != null) {
+//      String disablePinpad = configuration.getProperty(SMCCConfiguration.DISABLE_PINPAD_P);
+//      log.debug("setting disablePinpad to " + Boolean.parseBoolean(disablePinpad));
+//      reader.setDisablePinpad(Boolean.parseBoolean(disablePinpad));
+//    }
+    log.warn("card reader configuration is not considered");
+
+    if (features.isEmpty() || disablePinpad) {
+      reader = new DefaultCardReader(ct);
+    } else {
+      reader = new PinpadCardReader(ct, features);
+    }
+
+    return reader;
+  }
+
+  private static int CTL_CODE(int code) {
+    String os_name = System.getProperty("os.name").toLowerCase();
+    if (os_name.indexOf("windows") > -1) {
+      // cf. WinIOCTL.h
+      return (0x31 << 16 | (code) << 2);
+    }
+    // cf. reader.h
+    return 0x42000000 + (code);
+  }
+
+  static int IOCTL_GET_FEATURE_REQUEST = CTL_CODE(3400);
+
+  private static Map<Byte, Integer> queryFeatures(Card icc) {
+    Map<Byte, Integer> features = new HashMap<Byte, Integer>();
+
+    if (icc == null) {
+      log.warn("invalid card handle, cannot query ifd features");
+    } else {
+      try {
+        if (log.isTraceEnabled()) {
+          log.trace("GET_FEATURE_REQUEST " + Integer.toHexString(IOCTL_GET_FEATURE_REQUEST));
+        }
+        byte[] resp = icc.transmitControlCommand(IOCTL_GET_FEATURE_REQUEST,
+                new byte[0]);
+
+        if (log.isTraceEnabled()) {
+          log.trace("Response TLV " + SMCCHelper.toString(resp));
+        }
+        // tag
+        // length in bytes (always 4)
+        // control code value for supported feature (in big endian)
+        for (int i = 0; i < resp.length; i += 6) {
+          Byte feature = new Byte(resp[i]);
+          Integer ioctl = new Integer((0xff & resp[i + 2]) << 24) |
+                  ((0xff & resp[i + 3]) << 16) |
+                  ((0xff & resp[i + 4]) << 8) |
+                  (0xff & resp[i + 5]);
+          if (log.isInfoEnabled()) {
+            log.info("IFD supports " + CardReader.FEATURES[feature.intValue()] +
+                    ": " + Integer.toHexString(ioctl.intValue()));
+          }
+          features.put(feature, ioctl);
+        }
+      } catch (CardException ex) {
+        log.debug("Failed to query IFD features: " + ex.getMessage());
+        log.trace(ex);
+        log.info("IFD does not support secure pin entry");
+      }
+    }
+    return features;
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/AbstractAppl.java b/smcc/src/test/java/at/gv/egiz/smcc/AbstractAppl.java
index 137de509..affb06ff 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/AbstractAppl.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/AbstractAppl.java
@@ -51,6 +51,7 @@ public abstract class AbstractAppl implements CardAppl {
     return files;
   }
 
+  @Override
   public abstract void setPin(int kid, char[] value);
   
 }
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java
index 6017bcce..3dfc8510 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardEmul.java
@@ -28,15 +28,15 @@ import javax.smartcardio.CardException;
 @SuppressWarnings("restriction")
 public abstract class CardEmul extends Card {
 
-  protected Thread exclThread = null;
-  protected CardChannel channel = newCardChannel(this);
+  protected Thread exclThread; // = null;
+  protected CardChannel channel; // = newCardChannel(this);
   protected List<AbstractAppl> applications = new ArrayList<AbstractAppl>();
 
   public CardEmul() {
     super();
   }
 
-  protected abstract CardChannelEmul newCardChannel(CardEmul cardEmul);
+//  protected abstract CardChannelEmul newCardChannel(CardEmul cardEmul);
 
   @Override
   public void beginExclusive() throws CardException {
@@ -71,9 +71,9 @@ public abstract class CardEmul extends Card {
 
   @Override
   public void disconnect(boolean reset) throws CardException {
-    if (reset) {
-      channel = newCardChannel(this);
-    }
+//    if (reset) {
+//      channel = newCardChannel(this);
+//    }
   }
 
   @Override
@@ -93,7 +93,7 @@ public abstract class CardEmul extends Card {
       }
 
   public AbstractAppl getApplication(byte[] fid) {
-    
+
     for(AbstractAppl appl : applications) {
       if (Arrays.equals(appl.getAID(), fid) || Arrays.equals(appl.getFID(), fid)) {
         return appl;
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
index b3bd07ab..44e48836 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/CardTest.java
@@ -16,12 +16,14 @@
 */
 package at.gv.egiz.smcc;
 
+import at.gv.egiz.smcc.pin.gui.CancelPINProvider;
+import at.gv.egiz.smcc.pin.gui.InterruptPINProvider;
+import at.gv.egiz.smcc.pin.gui.CancelChangePINProvider;
 import static org.junit.Assert.*;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.List;
@@ -32,119 +34,15 @@ import org.junit.Test;
 
 import at.gv.egiz.smcc.SignatureCard.KeyboxName;
 import at.gv.egiz.smcc.acos.A04ApplDEC;
+import at.gv.egiz.smcc.pin.gui.DummyPINGUI;
+import at.gv.egiz.smcc.pin.gui.ModifyPINGUI;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
+import at.gv.egiz.smcc.pin.gui.SMCCTestPINProvider;
+import org.junit.Ignore;
 
 @SuppressWarnings("restriction")
 public abstract class CardTest {
 
-  public class TestPINProvider implements PINProvider {
-    
-    int provided = 0;
-  
-    char[] pin;
-  
-    public TestPINProvider(char[] pin) {
-      super();
-      this.pin = pin;
-    }
-  
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-        throws CancelledException, InterruptedException {
-      provided++;
-      return pin;
-    }
-
-    public int getProvided() {
-      return provided;
-    }
-  
-  }
-
-  public class TestChangePINProvider extends TestPINProvider implements
-      ChangePINProvider {
-  
-    char[] oldPin;
-  
-    public TestChangePINProvider(char[] oldPin, char[] pin) {
-      super(pin);
-      this.oldPin = oldPin;
-    }
-  
-    @Override
-    public char[] provideOldPIN(PINSpec spec, int retries)
-        throws CancelledException, InterruptedException {
-      return oldPin;
-    }
-  
-  }
-
-  public class TestInvalidPINProvider implements PINProvider {
-
-    int provided = 0;
-    int numWrongTries = 0;
-
-    char[] pin;
-
-    public TestInvalidPINProvider(char[] pin, int numWrongTries) {
-      super();
-      this.pin = pin;
-      this.numWrongTries = numWrongTries;
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-        throws CancelledException, InterruptedException {
-      if (provided >= numWrongTries) {
-        throw new CancelledException("Number of wrong tries reached: " + provided);
-      } else {
-        provided++;
-        return pin;
-      }
-    }
-
-    public int getProvided() {
-      return provided;
-    }
-  }
-
-  public class TestInvalidChangePINProvider implements ChangePINProvider {
-
-    int provided = 0;
-    int numWrongTries = 0;
-
-    char[] pin;
-    char[] oldPin;
-
-    /** emulate ChangePinProvider */
-    public TestInvalidChangePINProvider(char[] oldPin, char[] newPin, int numWrongTries) {
-      super();
-      this.pin = newPin;
-      this.oldPin = oldPin;
-      this.numWrongTries = numWrongTries;
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-        throws CancelledException, InterruptedException {
-      return pin;
-    }
-
-    public int getProvided() {
-      return provided;
-    }
-
-    @Override
-    public char[] provideOldPIN(PINSpec spec, int retries)
-        throws CancelledException, InterruptedException {
-      if (provided >= numWrongTries) {
-        throw new CancelledException("Number of wrong tries reached: " + provided);
-      } else {
-        provided++;
-        return oldPin;
-      }
-    }
-  }
-
   public CardTest() {
     super();
   }
@@ -167,7 +65,7 @@ public abstract class CardTest {
     
     SignatureCard signatureCard = createSignatureCard();
     
-    TestPINProvider pinProvider = new TestPINProvider(pin);
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider(pin);
 
     byte[] idlink = signatureCard.getInfobox("IdentityLink",
         pinProvider, null);
@@ -184,13 +82,7 @@ public abstract class CardTest {
       
         SignatureCard signatureCard = createSignatureCard();
       
-        PINProvider pinProvider = new PINProvider() {
-          @Override
-          public char[] providePIN(PINSpec spec, int retries)
-              throws CancelledException, InterruptedException {
-            throw new CancelledException();
-          }
-        };
+        PINGUI pinProvider = new CancelPINProvider();
       
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR, pinProvider,
@@ -205,13 +97,7 @@ public abstract class CardTest {
       
         SignatureCard signatureCard = createSignatureCard();
       
-        PINProvider pinProvider = new PINProvider() {
-          @Override
-          public char[] providePIN(PINSpec spec, int retries)
-              throws CancelledException, InterruptedException {
-            throw new CancelledException();
-          }
-        };
+        PINGUI pinProvider = new CancelPINProvider();
       
         signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
             .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
@@ -226,13 +112,7 @@ public abstract class CardTest {
       
         SignatureCard signatureCard = createSignatureCard();
       
-        PINProvider pinProvider = new PINProvider() {
-          @Override
-          public char[] providePIN(PINSpec spec, int retries)
-              throws CancelledException, InterruptedException {
-            throw new InterruptedException();
-          }
-        };
+        PINGUI pinProvider = new InterruptPINProvider();
       
         signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
             .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
@@ -247,13 +127,7 @@ public abstract class CardTest {
       
         SignatureCard signatureCard = createSignatureCard();
       
-        PINProvider pinProvider = new PINProvider() {
-          @Override
-          public char[] providePIN(PINSpec spec, int retries)
-              throws CancelledException, InterruptedException {
-            throw new InterruptedException();
-          }
-        };
+        PINGUI pinProvider = new InterruptPINProvider();
       
         signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
             .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
@@ -268,11 +142,11 @@ public abstract class CardTest {
       
         final SignatureCard signatureCard = createSignatureCard();
       
-        PINProvider pinProvider = new PINProvider() {
+        PINGUI pinProvider = new DummyPINGUI() {
           @Override
           public char[] providePIN(PINSpec spec, int retries)
               throws CancelledException, InterruptedException {
-      
+
             try {
               signatureCard.getCertificate(KeyboxName.SECURE_SIGNATURE_KEYPAIR);
               assertTrue(false);
@@ -281,10 +155,10 @@ public abstract class CardTest {
               // expected
               throw new CancelledException();
             }
-      
+
           }
         };
-      
+
         signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
             .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
             pinProvider, null);
@@ -298,7 +172,7 @@ public abstract class CardTest {
       
         final SignatureCard signatureCard = createSignatureCard();
       
-        PINProvider pinProvider = new PINProvider() {
+        PINGUI pinProvider = new DummyPINGUI() {
           @Override
           public char[] providePIN(PINSpec spec, int retries)
               throws CancelledException, InterruptedException {
@@ -311,7 +185,6 @@ public abstract class CardTest {
               // expected
               throw new CancelledException();
             }
-      
           }
         };
       
@@ -339,13 +212,7 @@ public abstract class CardTest {
       
         PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
       
-        PINProvider pinProvider = new PINProvider() {
-          @Override
-          public char[] providePIN(PINSpec spec, int retries)
-              throws CancelledException, InterruptedException {
-            throw new CancelledException();
-          }
-        };
+        ModifyPINGUI pinProvider = new CancelChangePINProvider();
       
         List<PINSpec> specs = signatureCard.getPINSpecs();
       
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/PIN.java b/smcc/src/test/java/at/gv/egiz/smcc/PIN.java
index ae883727..2cda0c2f 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/PIN.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/PIN.java
@@ -23,19 +23,23 @@ public class PIN {
   public static final int STATE_PIN_VERIFIED = 1;
   
   public static final int STATE_PIN_BLOCKED = -1;
+
+  public static final int STATE_PIN_NOTACTIVE = 2;
   
   public byte[] pin;
   
   public int kid;
   
-  public int state = STATE_RESET;
+  public int state; // = STATE_RESET;
   
-  public int kfpc = 10;
+  public int kfpc; // = 10;
 
-  public PIN(byte[] pin, int kid, int kfpc) {
+  //TODO also provde default constructor without state param
+  public PIN(byte[] pin, int kid, int kfpc, int state) {
     this.pin = pin;
     this.kid = kid;
     this.kfpc = kfpc;
+    this.state = state;
   }
 
 }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java
index 9fd96d73..f4ac5c35 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03ApplDEC.java
@@ -40,7 +40,7 @@ public class A03ApplDEC extends ACOSApplDEC {
     putFile(new File(FID_EF_INFOBOX, EF_INFOBOX, FCI_EF_INFOBOX, KID_PIN_INF));
 
     try {
-      pins.put(KID_PIN_INF, new PIN("0000\0\0\0\0".getBytes("ASCII"), KID_PIN_INF, 10));
+      pins.put(KID_PIN_INF, new PIN("0000\0\0\0\0".getBytes("ASCII"), KID_PIN_INF, 10, PIN.STATE_RESET));
     } catch (UnsupportedEncodingException e) {
       throw new RuntimeException(e);
     }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardEmul.java
index 58216b6b..7394bae7 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardEmul.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardEmul.java
@@ -24,13 +24,8 @@ import at.gv.egiz.smcc.CardEmul;
 public class A03CardEmul extends ACOSCardEmul {
 
   public A03CardEmul(A03ApplSIG applSIG, A03ApplDEC applDEC) {
+    channel = new A03CardChannelEmul(this);
     applications.add(applSIG);
     applications.add(applDEC);
   }
-
-  @Override
-  protected CardChannelEmul newCardChannel(CardEmul cardEmul) {
-    return new A03CardChannelEmul(this);
-  }
-
 }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardTest.java
index 776c0370..3a8ac41c 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A03CardTest.java
@@ -22,15 +22,16 @@ import java.util.Arrays;
 
 import org.junit.Test;
 
-import at.gv.egiz.smcc.ACOSCard;
 import at.gv.egiz.smcc.CancelledException;
 import at.gv.egiz.smcc.CardEmul;
 import at.gv.egiz.smcc.CardNotSupportedException;
 import at.gv.egiz.smcc.CardTerminalEmul;
+import at.gv.egiz.smcc.pin.gui.ChangePINProvider;
 import at.gv.egiz.smcc.LockedException;
 import at.gv.egiz.smcc.NotActivatedException;
 import at.gv.egiz.smcc.PINFormatException;
 import at.gv.egiz.smcc.PINMgmtSignatureCard;
+import at.gv.egiz.smcc.pin.gui.SMCCTestPINProvider;
 import at.gv.egiz.smcc.PINSpec;
 import at.gv.egiz.smcc.SignatureCard;
 import at.gv.egiz.smcc.SignatureCardException;
@@ -74,12 +75,12 @@ public class A03CardTest extends ACOSCardTest {
       char[] pin = defaultPin;
 
       for (int i = pinSpec.getMinLength(); i <= pinSpec.getMaxLength(); i++) {
-        signatureCard.verifyPIN(pinSpec, new TestPINProvider(pin));
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(pin));
         char[] newPin = new char[i];
         Arrays.fill(newPin, '0');
         signatureCard
-            .changePIN(pinSpec, new TestChangePINProvider(pin, newPin));
-        signatureCard.verifyPIN(pinSpec, new TestPINProvider(newPin));
+            .changePIN(pinSpec, new ChangePINProvider(pin, newPin));
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(newPin));
         pin = newPin;
       }
 
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardEmul.java
index 70925aa6..dd44d05b 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardEmul.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardEmul.java
@@ -24,14 +24,9 @@ import at.gv.egiz.smcc.CardEmul;
 public class A04CardEmul extends ACOSCardEmul {
 
   public A04CardEmul(A04ApplSIG applSIG, A04ApplDEC applDEC) {
+    channel = new A04CardChannelEmul(this);
     applications.add(applSIG);
     applications.add(applDEC);
   }
-
-  @Override
-  protected CardChannelEmul newCardChannel(CardEmul cardEmul) {
-    return new A04CardChannelEmul(this);
-  }
-
   
 }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardTest.java
index d15e80d7..1cbea1b3 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/A04CardTest.java
@@ -28,7 +28,6 @@ import java.util.Arrays;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
-import at.gv.egiz.smcc.ACOSCard;
 import at.gv.egiz.smcc.CancelledException;
 import at.gv.egiz.smcc.CardEmul;
 import at.gv.egiz.smcc.CardNotSupportedException;
@@ -41,7 +40,8 @@ import at.gv.egiz.smcc.PINSpec;
 import at.gv.egiz.smcc.SignatureCard;
 import at.gv.egiz.smcc.SignatureCardException;
 import at.gv.egiz.smcc.SignatureCardFactory;
-import at.gv.egiz.smcc.CardTest.TestPINProvider;
+import at.gv.egiz.smcc.pin.gui.ChangePINProvider;
+import at.gv.egiz.smcc.pin.gui.SMCCTestPINProvider;
 
 public class A04CardTest extends ACOSCardTest {
 
@@ -88,8 +88,8 @@ public class A04CardTest extends ACOSCardTest {
         char[] newPin = new char[i];
         Arrays.fill(newPin, '0');
         signatureCard
-            .changePIN(pinSpec, new TestChangePINProvider(pin, newPin));
-        signatureCard.verifyPIN(pinSpec, new TestPINProvider(newPin));
+            .changePIN(pinSpec, new ChangePINProvider(pin, newPin));
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(newPin));
         pin = newPin;
       }
 
@@ -111,7 +111,7 @@ public class A04CardTest extends ACOSCardTest {
     SignatureCard signatureCard = factory.createSignatureCard(card,
         new CardTerminalEmul(card));
 
-    TestPINProvider pinProvider = new TestPINProvider(pin);
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider(pin);
 
     byte[] idlink = signatureCard.getInfobox("IdentityLink",
         pinProvider, null);
@@ -129,7 +129,7 @@ public class A04CardTest extends ACOSCardTest {
     
     SignatureCard signatureCard = createSignatureCard();
     
-    TestPINProvider pinProvider = new TestPINProvider(pin);
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider(pin);
 
     byte[] idlink = signatureCard.getInfobox("IdentityLink",
         pinProvider, null);
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplDEC.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplDEC.java
index 08979536..09a754f3 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplDEC.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplDEC.java
@@ -297,7 +297,7 @@ public abstract class ACOSApplDEC extends ACOSAppl {
     System.arraycopy(C_CH_EKEY, 0, EF_C_CH_EKEY, 0, C_CH_EKEY.length);
     putFile(new File(FID_EF_C_CH_EKEY, EF_C_CH_EKEY, FCI_EF_C_CH_EKEY));
     try {
-      pins.put(KID_PIN_DEC, new PIN("1234\0\0\0\0".getBytes("ASCII"), KID_PIN_DEC, 10));
+      pins.put(KID_PIN_DEC, new PIN("1234\0\0\0\0".getBytes("ASCII"), KID_PIN_DEC, 10, PIN.STATE_RESET));
     } catch (UnsupportedEncodingException e) {
       throw new RuntimeException(e);
     }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplSIG.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplSIG.java
index e476b434..6ab5903a 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplSIG.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSApplSIG.java
@@ -221,7 +221,7 @@ public abstract class ACOSApplSIG extends ACOSAppl {
     
     // PINs
     try {
-      pins.put(KID_PIN_SIG, new PIN(Arrays.copyOf("123456".getBytes("ASCII"), 8), KID_PIN_SIG, 3));
+      pins.put(KID_PIN_SIG, new PIN(Arrays.copyOf("123456".getBytes("ASCII"), 8), KID_PIN_SIG, 3, PIN.STATE_RESET));
     } catch (UnsupportedEncodingException e) {
       throw new RuntimeException(e);
     }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
index 56d1e4b2..4f012739 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/acos/ACOSCardTest.java
@@ -16,26 +16,23 @@
 */
 package at.gv.egiz.smcc.acos;
 
-import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 
 import org.junit.Test;
 
-import at.gv.egiz.smcc.ACOSCard;
 import at.gv.egiz.smcc.CardEmul;
 import at.gv.egiz.smcc.CardNotSupportedException;
 import at.gv.egiz.smcc.CardTest;
 import at.gv.egiz.smcc.LockedException;
 import at.gv.egiz.smcc.NotActivatedException;
+import at.gv.egiz.smcc.pin.gui.SMCCTestPINProvider;
 import at.gv.egiz.smcc.SignatureCard;
 import at.gv.egiz.smcc.SignatureCardException;
 import at.gv.egiz.smcc.SignatureCard.KeyboxName;
@@ -60,7 +57,7 @@ public abstract class ACOSCardTest extends CardTest {
     appl.clearInfobox();
 
     byte[] idlink = signatureCard.getInfobox("IdentityLink",
-        new TestPINProvider(pin), null);
+        new SMCCTestPINProvider(pin), null);
     assertNull(idlink);
 
   }
@@ -76,7 +73,7 @@ public abstract class ACOSCardTest extends CardTest {
     ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
     appl.setInfoboxHeader((byte) 0xFF);
 
-    signatureCard.getInfobox("IdentityLink", new TestPINProvider(pin), null);
+    signatureCard.getInfobox("IdentityLink", new SMCCTestPINProvider(pin), null);
 
   }
 
@@ -138,7 +135,7 @@ public abstract class ACOSCardTest extends CardTest {
 
     byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")),
-        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new TestPINProvider(pin), null);
+        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new SMCCTestPINProvider(pin), null);
 
     assertNotNull(signature);
 
@@ -158,7 +155,7 @@ public abstract class ACOSCardTest extends CardTest {
 
     byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")),
-        KeyboxName.CERITIFIED_KEYPAIR, new TestPINProvider(pin), null);
+        KeyboxName.CERITIFIED_KEYPAIR, new SMCCTestPINProvider(pin), null);
 
     assertNotNull(signature);
 
@@ -171,7 +168,7 @@ public abstract class ACOSCardTest extends CardTest {
 
     SignatureCard signatureCard = createSignatureCard();
 
-    TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider("000000".toCharArray());
 
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
@@ -186,7 +183,7 @@ public abstract class ACOSCardTest extends CardTest {
 
     SignatureCard signatureCard = createSignatureCard();
 
-    TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider("0000".toCharArray());
 
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
@@ -204,7 +201,7 @@ public abstract class ACOSCardTest extends CardTest {
     ACOSApplSIG appl = (ACOSApplSIG) card.getApplication(ACOSAppl.AID_SIG);
     appl.setPin(ACOSApplSIG.KID_PIN_SIG, null);
 
-    TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider("000000".toCharArray());
 
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
@@ -222,7 +219,7 @@ public abstract class ACOSCardTest extends CardTest {
     ACOSApplDEC appl = (ACOSApplDEC) card.getApplication(ACOSAppl.AID_DEC);
     appl.setPin(ACOSApplDEC.KID_PIN_DEC, null);
 
-    TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider("0000".toCharArray());
 
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/CancelChangePINProvider.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/CancelChangePINProvider.java
new file mode 100644
index 00000000..dffe7e29
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/CancelChangePINProvider.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+public class CancelChangePINProvider extends DummyChangePINGUI implements ModifyPINGUI {
+
+  public CancelChangePINProvider() {
+  }
+
+  @Override
+  public char[] provideCurrentPIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    throw new CancelledException("cancelled by cancelPINProvider");
+  }
+
+  @Override
+  public char[] provideNewPIN(PINSpec spec)
+          throws CancelledException, InterruptedException {
+    throw new CancelledException("cancelled by cancelPINProvider");
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/CancelPINProvider.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/CancelPINProvider.java
new file mode 100644
index 00000000..77f19345
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/CancelPINProvider.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+public class CancelPINProvider extends DummyPINGUI implements PINGUI {
+
+  @Override
+  public char[] providePIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    throw new CancelledException("cancelled by cancelPINProvider");
+  }
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/ChangePINProvider.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/ChangePINProvider.java
new file mode 100644
index 00000000..5eb8b9a1
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/ChangePINProvider.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+public class ChangePINProvider extends DummyChangePINGUI implements ModifyPINGUI {
+
+  int provided = 0;
+  char[] pin;
+  char[] oldPin;
+
+  public ChangePINProvider(char[] oldPin, char[] pin) {
+    this.pin = pin;
+    this.oldPin = oldPin;
+  }
+
+  public int getProvided() {
+    return provided;
+  }
+
+  @Override
+  public char[] provideCurrentPIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    provided++;
+    return oldPin;
+  }
+
+  @Override
+  public char[] provideNewPIN(PINSpec spec) {
+    return pin;
+  }
+
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/DummyChangePINGUI.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/DummyChangePINGUI.java
new file mode 100644
index 00000000..fff89409
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/DummyChangePINGUI.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+public abstract class DummyChangePINGUI implements ModifyPINGUI {
+
+  @Override
+  public void validKeyPressed() {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void correctionButtonPressed() {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void allKeysCleared() {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void finish() {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void finishDirect() {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void modifyPINDirect(PINSpec spec, int retries) throws CancelledException, InterruptedException {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void enterCurrentPIN(PINSpec spec, int retries) {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void enterNewPIN(PINSpec spec) {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void confirmNewPIN(PINSpec spec) {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/DummyPINGUI.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/DummyPINGUI.java
new file mode 100644
index 00000000..4d99b5c1
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/DummyPINGUI.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+public abstract class DummyPINGUI implements PINGUI {
+
+   @Override
+  public void enterPINDirect(PINSpec spec, int retries) throws CancelledException, InterruptedException {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void enterPIN(PINSpec spec, int retries) throws CancelledException, InterruptedException {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void validKeyPressed() {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void correctionButtonPressed() {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
+  @Override
+  public void allKeysCleared() {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InterruptPINProvider.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InterruptPINProvider.java
new file mode 100644
index 00000000..5706b888
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InterruptPINProvider.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+@SuppressWarnings("restriction")
+public class InterruptPINProvider extends DummyPINGUI implements PINGUI {
+
+  public InterruptPINProvider() {
+  }
+
+  @Override
+  public char[] providePIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    throw new InterruptedException("interrupted by cancelPINProvider");
+  }
+
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InvalidChangePINProvider.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InvalidChangePINProvider.java
new file mode 100644
index 00000000..69c9f42a
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InvalidChangePINProvider.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+public class InvalidChangePINProvider extends DummyChangePINGUI implements ModifyPINGUI {
+
+  int provided = 0;
+  int numWrongTries = 0;
+  char[] pin;
+  char[] oldPin;
+
+  /** emulate ChangePinProvider */
+  public InvalidChangePINProvider(char[] oldPin, char[] newPin, int numWrongTries) {
+    super();
+    this.pin = newPin;
+    this.oldPin = oldPin;
+    this.numWrongTries = numWrongTries;
+  }
+
+  @Override
+  public char[] provideCurrentPIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    if (provided >= numWrongTries) {
+      throw new CancelledException("Number of wrong tries reached: " + provided);
+    } else {
+      provided++;
+      return oldPin;
+    }
+  }
+
+  public int getProvided() {
+    return provided;
+  }
+
+  @Override
+  public char[] provideNewPIN(PINSpec spec) {
+    return pin;
+  }
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InvalidPINProvider.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InvalidPINProvider.java
new file mode 100644
index 00000000..db01fd0d
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/InvalidPINProvider.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+public class InvalidPINProvider extends DummyPINGUI implements PINGUI {
+
+  int provided = 0;
+  int numWrongTries = 0;
+  char[] pin;
+
+  public InvalidPINProvider(char[] pin, int numWrongTries) {
+    super();
+    this.pin = pin;
+    this.numWrongTries = numWrongTries;
+  }
+
+  @Override
+  public char[] providePIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    if (provided >= numWrongTries) {
+      throw new CancelledException("Number of wrong tries reached: " + provided);
+    } else {
+      provided++;
+      return pin;
+    }
+  }
+
+  public int getProvided() {
+    return provided;
+  }
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/SMCCTestPINProvider.java b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/SMCCTestPINProvider.java
new file mode 100644
index 00000000..dffc90d7
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/pin/gui/SMCCTestPINProvider.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.pin.gui;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+
+public class SMCCTestPINProvider extends DummyPINGUI implements PINGUI {
+
+  public int provided = 0;
+  char[] pin;
+
+  public SMCCTestPINProvider(char[] pin) {
+    this.pin = pin;
+  }
+
+  @Override
+  public char[] providePIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    provided++;
+    return pin;
+  }
+
+  public int getProvided() {
+    return provided;
+  }
+
+ 
+}
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSAppl.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSAppl.java
index 2ca63eea..62528e6e 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSAppl.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSAppl.java
@@ -69,27 +69,4 @@ public abstract class STARCOSAppl extends AbstractAppl implements CardAppl {
       pin.next().state = PIN.STATE_RESET;
     }
   }
-  
-  public void setPin(int kid, char[] value) {
-    PIN pin = pins.get(kid);
-    if (pin != null) {
-      if (value == null) {
-        pin.pin = null;
-      } else {
-        byte[] b = new byte[8];
-        b[0] = (byte) (0x20 | value.length);
-        for(int i = 1, j = 0; i < b.length; i++) {
-          int h = ((j < value.length) 
-                  ? Character.digit(value[j++], 10) 
-                  : 0x0F);
-          int l = ((j < value.length) 
-                  ? Character.digit(value[j++], 10) 
-                  : 0x0F);
-          b[i] = (byte) ((h << 4) | l);
-        }
-        pin.pin = b;
-      }
-    }
-  }
-
 }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplGewoehnlicheSignatur.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplGewoehnlicheSignatur.java
index cec305da..8741dd2d 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplGewoehnlicheSignatur.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplGewoehnlicheSignatur.java
@@ -16,7 +16,6 @@
 */
 package at.gv.egiz.smcc.starcos;
 
-import java.io.UnsupportedEncodingException;
 import java.util.Arrays;
 import java.util.Random;
 
@@ -200,12 +199,18 @@ public class STARCOSApplGewoehnlicheSignatur extends STARCOSAppl {
   
 
   protected byte[] EF_C_X509_CH_AUT = new byte[2000];
-  
-  public STARCOSApplGewoehnlicheSignatur(STARCOSCardChannelEmul channel) {
+
+  protected byte[] dst;
+
+  public static final byte[] DST = new byte[] { (byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x02, (byte) 0x00, (byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10};
+  public static final byte[] DST_G3 = new byte[] { (byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x02, (byte) 0x00, (byte) 0x80, (byte) 0x01, (byte) 0x04 };
+
+  public STARCOSApplGewoehnlicheSignatur(STARCOSCardChannelEmul channel, byte[] dst) {
     super(channel);
     // Files
     System.arraycopy(C_X509_CH_AUT, 0, EF_C_X509_CH_AUT, 0, C_X509_CH_AUT.length);
     putFile(new File(FID_EF_C_X509_CH_AUT, EF_C_X509_CH_AUT, FCI_EF_C_X509_CH_AUT));
+    this.dst = dst;
   }
 
   @Override
@@ -240,12 +245,19 @@ public class STARCOSApplGewoehnlicheSignatur extends STARCOSAppl {
       case 0x81:
         // EXTERNAL AUTHENTICATE
       }
+    case 0xAA:
+      switch (command.getP1()) {
+      case 0x41: 
+        if (Arrays.equals(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x10}, command.getData())) {
+          return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
+        }
+      default:
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x80});
+      }
     case 0xB6:
       switch (command.getP1()) {
       case 0x41: {
         // PSO - COMPUTE DIGITAL SIGNATURE
-        byte[] dst = new byte[] { (byte) 0x84, (byte) 0x03, (byte) 0x80,
-            (byte) 0x02, (byte) 0x00, (byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10};
         if (Arrays.equals(dst, command.getData())) {
           securityEnv = command.getData();
           return new ResponseAPDU(new byte[] {(byte) 0x90, (byte) 0x00});
@@ -328,5 +340,10 @@ public class STARCOSApplGewoehnlicheSignatur extends STARCOSAppl {
     
   }
 
+  @Override
+  public void setPin(int kid, char[] value) {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
   
 }
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplInfobox.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplInfobox.java
index b7835a43..c470351a 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplInfobox.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplInfobox.java
@@ -156,5 +156,10 @@ public class STARCOSApplInfobox extends STARCOSAppl {
     throw new CardException("Not supported.");
   }
 
+  @Override
+  public void setPin(int kid, char[] value) {
+    throw new UnsupportedOperationException("Not supported yet.");
+  }
+
   
 }
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplSichereSignatur.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplSichereSignatur.java
index 9fb5ad37..4036ca41 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplSichereSignatur.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSApplSichereSignatur.java
@@ -213,16 +213,14 @@ public class STARCOSApplSichereSignatur extends STARCOSAppl {
 
   protected byte[] EF_C_X509_CH_DS = new byte[2000];
   
-  public STARCOSApplSichereSignatur(STARCOSCardChannelEmul channel) {
+  public STARCOSApplSichereSignatur(STARCOSCardChannelEmul channel, byte[] SS_pin, int pinState) {
     super(channel);
     // Files
     System.arraycopy(C_X509_CH_DS, 0, EF_C_X509_CH_DS, 0, C_X509_CH_DS.length);
     putFile(new File(FID_EF_C_X509_CH_DS, EF_C_X509_CH_DS, FCI_EF_C_X509_CH_DS));
     
     // PINs
-    pins.put(KID_PIN_SS, new PIN(new byte[] { (byte) 0x24, (byte) 0x12,
-        (byte) 0x34, (byte) 0x56, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
-        (byte) 0xFF }, KID_PIN_SS, 3));
+    pins.put(KID_PIN_SS, new PIN(SS_pin, KID_PIN_SS, 3, pinState));
   }
 
   @Override
@@ -344,4 +342,34 @@ public class STARCOSApplSichereSignatur extends STARCOSAppl {
   
   }
 
+  /**
+   * set and activate pin
+   * @param value if null, pin will be set to NOTACTIVE
+   */
+  @Override
+  public void setPin(int kid, char[] value) {
+    PIN pin = pins.get(kid);
+    if (pin != null) {
+      if (value == null) {
+//        pin.pin = null;
+        //TransportPIN
+//        pin.pin = new byte[] { (byte) 0x26, (byte) 0x12, (byte) 0x34, (byte) 0x56, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+        pin.state = PIN.STATE_PIN_NOTACTIVE;
+      } else {
+        byte[] b = new byte[8];
+        b[0] = (byte) (0x20 | value.length);
+        for(int i = 1, j = 0; i < b.length; i++) {
+          int h = ((j < value.length)
+                  ? Character.digit(value[j++], 10)
+                  : 0x0F);
+          int l = ((j < value.length)
+                  ? Character.digit(value[j++], 10)
+                  : 0x0F);
+          b[i] = (byte) ((h << 4) | l);
+        }
+        pin.pin = b;
+        pin.state = PIN.STATE_RESET;
+      }
+    }
+  }
 }
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardChannelEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardChannelEmul.java
index 89030894..2e0c54eb 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardChannelEmul.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardChannelEmul.java
@@ -16,7 +16,6 @@
 */
 package at.gv.egiz.smcc.starcos;
 
-import java.io.UnsupportedEncodingException;
 import java.util.Arrays;
 import java.util.HashMap;
 
@@ -30,6 +29,8 @@ import at.gv.egiz.smcc.CardChannelEmul;
 import at.gv.egiz.smcc.CardEmul;
 import at.gv.egiz.smcc.File;
 import at.gv.egiz.smcc.PIN;
+import java.util.ArrayList;
+import java.util.List;
 
 @SuppressWarnings("restriction")
 public class STARCOSCardChannelEmul extends CardChannelEmul {
@@ -40,14 +41,13 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
    * 
    */
   protected CardEmul cardEmul;
-  
+
+  public final List<File> globalFiles = new ArrayList<File>();
   public final HashMap<Integer, PIN> globalPins = new HashMap<Integer, PIN>();
 
-  public STARCOSCardChannelEmul(CardEmul cardEmul) {
+  public STARCOSCardChannelEmul(CardEmul cardEmul, byte[] Glob_PIN, int PIN_STATE) {
     this.cardEmul = cardEmul;
-    globalPins.put(KID_PIN_Glob, new PIN(new byte[] { (byte) 0x24, (byte) 0x00,
-        (byte) 0x00, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
-        (byte) 0xFF }, KID_PIN_Glob, 10));
+    globalPins.put(KID_PIN_Glob, new PIN(Glob_PIN, KID_PIN_Glob, 10, PIN_STATE));
  }
 
   @Override
@@ -88,6 +88,21 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
           }
         }
         return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x82});
+      } else if (globalFiles != null) {
+        if (command.getP2() != 0x04) {
+          throw new CardException("Not supported.");
+        }
+        for (File file : globalFiles) {
+          if (Arrays.equals(fid, file.fid)) {
+            currentFile = file;
+            byte[] response = new byte[file.fcx.length + 2];
+            System.arraycopy(file.fcx, 0, response, 0, file.fcx.length);
+            response[file.fcx.length] = (byte) 0x90;
+            response[file.fcx.length + 1] = (byte) 0x00;
+            return new ResponseAPDU(response);
+          }
+        }
+        return new ResponseAPDU(new byte[] {(byte) 0x6A, (byte) 0x82});
       } else {
         throw new CardException("Not supported.");
       }
@@ -121,6 +136,23 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
     
   }
   
+  protected ResponseAPDU cmdREAD_RECORD(CommandAPDU command) throws CardException {
+    if (command.getINS() != 0xB2) {
+      throw new IllegalArgumentException("INS has to be 0xB2");
+    }
+    if (currentFile == null) {
+      return new ResponseAPDU(new byte[]{ (byte) 0x69, (byte) 0x86 });
+    }
+    if (command.getP1() != 0x01 || command.getP2() != 0x04) {
+      throw new CardException("Not implemented.");
+    }
+    byte[] response = new byte[currentFile.file.length + 2];
+    System.arraycopy(currentFile.file, 0, response, 0, currentFile.file.length);
+    response[currentFile.file.length] = (byte) 0x90;
+    response[currentFile.file.length + 1] = (byte) 0x00;
+    return new ResponseAPDU(response);
+  }
+
   protected ResponseAPDU cmdREAD_BINARY(CommandAPDU command) throws CardException {
 
     if (command.getINS() != 0xB0) {
@@ -192,6 +224,10 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
       case 0xB0:
         return cmdREAD_BINARY(command);
       
+      // READ RECORD
+      case 0xB2:
+        return cmdREAD_RECORD(command);
+
       // VERIFY
       case 0x20:
         return cmdVERIFY(command);
@@ -248,9 +284,15 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
     }
     
     if (pin != null) {
-  
-      if (reference.length == 0) {
-        return new ResponseAPDU(new byte[] { (byte) 0x63, (byte) (pin.kfpc | 0xC0)});
+
+      if (reference == null || reference.length == 0) {
+        if (pin.state == PIN.STATE_PIN_NOTACTIVE) {
+          return new ResponseAPDU(new byte[] { (byte) 0x69, (byte) 0x84 });
+        } else if (pin.state == PIN.STATE_PIN_BLOCKED) {
+          return new ResponseAPDU(new byte[] { (byte) 0x63, (byte) 0xc0 });
+        } else {
+          return new ResponseAPDU(new byte[] { (byte) 0x63, (byte) (pin.kfpc | 0xC0)});
+        }
       }
       
       if (reference.length != 8) {
@@ -264,7 +306,7 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
   
         case PIN.STATE_RESET:
           pin.state = PIN.STATE_PIN_VERIFIED;
-          
+
         default:
           pin.kfpc = 10;
           return new ResponseAPDU(new byte[] { (byte) 0x90, (byte) 0x00 });
@@ -321,7 +363,20 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
         return new ResponseAPDU(new byte[] {(byte) 0x67, (byte) 0x00});
       }
       
-      response = verifyPin(0xFF & command.getP2(), data);
+      PIN pin;
+      if (currentAppl != null) {
+        pin = currentAppl.pins.get(command.getP2());
+      } else {
+        pin = globalPins.get(command.getP2());
+      }
+      if (pin.state == PIN.STATE_PIN_NOTACTIVE) {
+        pin.pin = data;
+        pin.state = PIN.STATE_RESET;
+        response = new ResponseAPDU(new byte[] { (byte) 0x90, (byte) 0x00 });
+      } else {
+        // P1 == 0x01 not allowed on active pin (?)
+        response = new ResponseAPDU(new byte[] { (byte) 0x6A, (byte) 0x86});
+      }
 
     } else if (command.getP1() == 0x00) {
       
@@ -330,21 +385,22 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
       }
   
       response = verifyPin(0xFF & command.getP2(), Arrays.copyOf(data, 8));
-    
+
+      if (response.getSW() == 0x9000) {
+        PIN pin;
+        if (currentAppl != null) {
+          pin = currentAppl.pins.get(command.getP2());
+        } else {
+          pin = globalPins.get(command.getP2());
+        }
+        pin.pin = Arrays.copyOfRange(data, 8, 16);
+        pin.state = PIN.STATE_PIN_VERIFIED;
+      }
+
     } else {
       return new ResponseAPDU(new byte[] { (byte) 0x6A, (byte) 0x81 });
     }
      
-    if (response.getSW() == 0x9000) {
-      PIN pin;
-      if (currentAppl != null) {
-        pin = currentAppl.pins.get(command.getP2());
-      } else {
-        pin = globalPins.get(command.getP2());
-      }
-      pin.pin = Arrays.copyOfRange(data, 8, 16);
-    }
-
     return response;
     
   }
@@ -353,7 +409,10 @@ public class STARCOSCardChannelEmul extends CardChannelEmul {
     PIN pin = globalPins.get(kid);
     if (pin != null) {
       if (value == null) {
-        pin.pin = null;
+//        pin.pin = null;
+        //TransportPIN
+//        pin.pin = new byte[] { (byte) 0x24, (byte) 0x12, (byte) 0x34, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+        pin.state = PIN.STATE_PIN_NOTACTIVE;
       } else {
         byte[] b = new byte[8];
         b[0] = (byte) (0x20 | value.length);
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardEmul.java
index 7b2f3fbe..5963fb63 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardEmul.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardEmul.java
@@ -21,30 +21,34 @@ import javax.smartcardio.ATR;
 
 import at.gv.egiz.smcc.CardChannelEmul;
 import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.PIN;
 
 @SuppressWarnings("restriction")
 public class STARCOSCardEmul extends CardEmul {
-  
+
+  public static byte[] DEFAULT_SS_PIN = new byte[] { (byte) 0x26, (byte) 0x12, (byte) 0x34, (byte) 0x56, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+  public static byte[] DEFAULT_Glob_PIN = new byte[] { (byte) 0x24, (byte) 0x00, (byte) 0x00, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+
   protected static ATR ATR = new ATR(new byte[] {
       (byte) 0x3b, (byte) 0xbd, (byte) 0x18, (byte) 0x00, (byte) 0x81, (byte) 0x31, (byte) 0xfe, (byte) 0x45, 
       (byte) 0x80, (byte) 0x51, (byte) 0x02, (byte) 0x67, (byte) 0x05, (byte) 0x18, (byte) 0xb1, (byte) 0x02, 
       (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x81, (byte) 0x05, (byte) 0x31
   });
-  
+
   public STARCOSCardEmul() {
-    applications.add(new STARCOSApplSichereSignatur((STARCOSCardChannelEmul) channel));
+    this(DEFAULT_SS_PIN, DEFAULT_Glob_PIN, PIN.STATE_RESET);
+  }
+
+  public STARCOSCardEmul(byte[] SS_PIN, byte[] Glob_PIN, int PIN_STATE) {
+    channel = new STARCOSCardChannelEmul(this, Glob_PIN, PIN_STATE);
+    applications.add(new STARCOSApplSichereSignatur((STARCOSCardChannelEmul) channel, SS_PIN, PIN_STATE));
     applications.add(new STARCOSApplInfobox((STARCOSCardChannelEmul) channel));
-    applications.add(new STARCOSApplGewoehnlicheSignatur((STARCOSCardChannelEmul) channel));
+    applications.add(new STARCOSApplGewoehnlicheSignatur((STARCOSCardChannelEmul) channel,
+            STARCOSApplGewoehnlicheSignatur.DST));
   }
 
   @Override
   public ATR getATR() {
     return ATR;
   }
-
-  @Override
-  protected CardChannelEmul newCardChannel(CardEmul cardEmul) {
-    return new STARCOSCardChannelEmul(this);
-  }
-
 }
\ No newline at end of file
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
index b7dc9a0c..154884d4 100644
--- a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSCardTest.java
@@ -22,12 +22,9 @@ import static org.junit.Assert.assertTrue;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 
-import javax.smartcardio.CardChannel;
 
 import org.junit.Test;
 
@@ -36,25 +33,20 @@ import at.gv.egiz.smcc.CardEmul;
 import at.gv.egiz.smcc.CardNotSupportedException;
 import at.gv.egiz.smcc.CardTerminalEmul;
 import at.gv.egiz.smcc.CardTest;
+import at.gv.egiz.smcc.pin.gui.ChangePINProvider;
+import at.gv.egiz.smcc.pin.gui.InvalidChangePINProvider;
+import at.gv.egiz.smcc.pin.gui.InvalidPINProvider;
 import at.gv.egiz.smcc.LockedException;
 import at.gv.egiz.smcc.NotActivatedException;
+import at.gv.egiz.smcc.PIN;
 import at.gv.egiz.smcc.PINFormatException;
 import at.gv.egiz.smcc.PINMgmtSignatureCard;
 import at.gv.egiz.smcc.PINSpec;
-import at.gv.egiz.smcc.STARCOSCard;
 import at.gv.egiz.smcc.SignatureCard;
 import at.gv.egiz.smcc.SignatureCardException;
 import at.gv.egiz.smcc.SignatureCardFactory;
-import at.gv.egiz.smcc.CardTest.TestChangePINProvider;
-import at.gv.egiz.smcc.CardTest.TestPINProvider;
-import at.gv.egiz.smcc.PINProvider;
+import at.gv.egiz.smcc.pin.gui.SMCCTestPINProvider;
 import at.gv.egiz.smcc.SignatureCard.KeyboxName;
-import at.gv.egiz.smcc.acos.A03ApplDEC;
-import at.gv.egiz.smcc.acos.A04ApplDEC;
-import at.gv.egiz.smcc.acos.A04ApplSIG;
-import at.gv.egiz.smcc.acos.ACOSAppl;
-import at.gv.egiz.smcc.acos.ACOSApplDEC;
-import at.gv.egiz.smcc.acos.ACOSApplSIG;
 import org.junit.Ignore;
 
 public class STARCOSCardTest extends CardTest {
@@ -69,7 +61,17 @@ public class STARCOSCardTest extends CardTest {
     assertTrue(signatureCard instanceof PINMgmtSignatureCard);
     return signatureCard;
   }
-  
+
+  protected SignatureCard createSignatureCard(byte[] SS_PIN, byte[] Glob_PIN, int pinState)
+      throws CardNotSupportedException {
+    SignatureCardFactory factory = SignatureCardFactory.getInstance();
+    STARCOSCardEmul card = new STARCOSCardEmul(SS_PIN, Glob_PIN, pinState);
+    SignatureCard signatureCard = factory.createSignatureCard(card,
+        new CardTerminalEmul(card));
+    assertTrue(signatureCard instanceof PINMgmtSignatureCard);
+    return signatureCard;
+  }
+
   @Test
   public void testGetInfoboxIdentityLinkEmpty() throws SignatureCardException,
       InterruptedException, CardNotSupportedException {
@@ -82,7 +84,7 @@ public class STARCOSCardTest extends CardTest {
     appl.clearInfobox();
 
     byte[] idlink = signatureCard.getInfobox("IdentityLink",
-        new TestPINProvider(pin), null);
+        new SMCCTestPINProvider(pin), null);
     assertNull(idlink);
 
   }
@@ -98,10 +100,10 @@ public class STARCOSCardTest extends CardTest {
     STARCOSApplInfobox appl = (STARCOSApplInfobox) card.getApplication(STARCOSAppl.AID_Infobox);
     appl.setInfoboxHeader((byte) 0xFF);
 
-    signatureCard.getInfobox("IdentityLink", new TestPINProvider(pin), null);
+    signatureCard.getInfobox("IdentityLink", new SMCCTestPINProvider(pin), null);
 
   }
- 
+
   @Test
   public void testGetCerts() throws SignatureCardException,
       InterruptedException, CardNotSupportedException {
@@ -145,7 +147,7 @@ public class STARCOSCardTest extends CardTest {
     signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR);
 
   }
-  
+
   @Test
   public void testSignSichereSignatur() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
@@ -160,7 +162,7 @@ public class STARCOSCardTest extends CardTest {
 
     byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")),
-        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new TestPINProvider(pin), null);
+        KeyboxName.SECURE_SIGNATURE_KEYPAIR, new SMCCTestPINProvider(pin), null);
 
     assertNotNull(signature);
 
@@ -180,12 +182,12 @@ public class STARCOSCardTest extends CardTest {
 
     byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")),
-        KeyboxName.CERITIFIED_KEYPAIR, new TestPINProvider(pin), null);
+        KeyboxName.CERITIFIED_KEYPAIR, new SMCCTestPINProvider(pin), null);
 
     assertNotNull(signature);
 
   }
-  
+
   @Test(expected = LockedException.class)
   public void testSignSichereSignaturInvalidPin() throws SignatureCardException,
       InterruptedException, CardNotSupportedException,
@@ -193,7 +195,7 @@ public class STARCOSCardTest extends CardTest {
 
     SignatureCard signatureCard = createSignatureCard();
 
-    TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider("000000".toCharArray());
 
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")), KeyboxName.SECURE_SIGNATURE_KEYPAIR,
@@ -208,7 +210,7 @@ public class STARCOSCardTest extends CardTest {
 
     SignatureCard signatureCard = createSignatureCard();
 
-    TestPINProvider pinProvider = new TestPINProvider("1234".toCharArray());
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider("1234".toCharArray());
 
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
@@ -221,12 +223,9 @@ public class STARCOSCardTest extends CardTest {
       InterruptedException, CardNotSupportedException,
       NoSuchAlgorithmException, IOException {
 
-    SignatureCard signatureCard = createSignatureCard();
-    CardEmul card = (CardEmul) signatureCard.getCard();
-    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
-    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, null);
+    SignatureCard signatureCard = createSignatureCard(null, null, PIN.STATE_PIN_BLOCKED);
 
-    TestPINProvider pinProvider = new TestPINProvider("000000".toCharArray());
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider("000000".toCharArray());
     assertTrue(pinProvider.getProvided() <= 0);
 
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
@@ -240,68 +239,79 @@ public class STARCOSCardTest extends CardTest {
       InterruptedException, CardNotSupportedException,
       NoSuchAlgorithmException, IOException {
 
-    SignatureCard signatureCard = createSignatureCard();
-    CardEmul card = (CardEmul) signatureCard.getCard();
-    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
-    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, null);
-
-    TestPINProvider pinProvider = new TestPINProvider("0000".toCharArray());
+    SignatureCard signatureCard = createSignatureCard(null, null, PIN.STATE_PIN_BLOCKED);
+    
+    SMCCTestPINProvider pinProvider = new SMCCTestPINProvider("0000".toCharArray());
 
     signatureCard.createSignature(new ByteArrayInputStream("MOCCA"
         .getBytes("ASCII")), KeyboxName.CERITIFIED_KEYPAIR,
         pinProvider, null);
 
   }
-  
+
   @Test
   public void testChangePin() throws CardNotSupportedException,
       LockedException, NotActivatedException, CancelledException,
       PINFormatException, SignatureCardException, InterruptedException {
 
-    char[] defaultPin = "123456".toCharArray();
-
-    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
-    CardEmul card = (CardEmul) signatureCard.getCard();
-    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
-    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, defaultPin);
-    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
-    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, defaultPin);
+    // set all initial pins to DEFAULT_SS_PIN (123456)
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard(
+            STARCOSCardEmul.DEFAULT_SS_PIN, STARCOSCardEmul.DEFAULT_SS_PIN, PIN.STATE_RESET);
     
     for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
 
-      char[] pin = defaultPin;
+      char[] pin = "123456".toCharArray();
 
       for (int i = pinSpec.getMinLength(); i <= pinSpec.getMaxLength(); i++) {
-        signatureCard.verifyPIN(pinSpec, new TestPINProvider(pin));
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(pin));
         char[] newPin = new char[i];
         Arrays.fill(newPin, '0');
         signatureCard
-            .changePIN(pinSpec, new TestChangePINProvider(pin, newPin));
-        signatureCard.verifyPIN(pinSpec, new TestPINProvider(newPin));
+            .changePIN(pinSpec, new ChangePINProvider(pin, newPin));
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(newPin));
         pin = newPin;
       }
     }
   }
 
   @Test
-  public void testVerifyInvalidPin() throws CardNotSupportedException,
+  @Override
+  public void testActivatePin() throws CardNotSupportedException,
       LockedException, NotActivatedException, CancelledException,
       PINFormatException, SignatureCardException, InterruptedException {
 
-    char[] defaultPin = "123456".toCharArray();
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard(
+            null, null, PIN.STATE_PIN_NOTACTIVE);
+
+    for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
+
+      char[] pin = "1234567890".substring(0, pinSpec.getMinLength()).toCharArray();
+
+      boolean notActive = false;
+      try {
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(pin));
+      } catch (NotActivatedException ex) {
+        notActive = true;
+      }
+      assertTrue(notActive);
+
+      signatureCard.activatePIN(pinSpec, new ChangePINProvider(null, pin));
+      signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(pin));
+    }
+  }
+
+  @Test
+  public void testVerifyInvalidPin() throws CardNotSupportedException,
+      LockedException, NotActivatedException, CancelledException,
+      PINFormatException, SignatureCardException, InterruptedException {
 
     PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
-    CardEmul card = (CardEmul) signatureCard.getCard();
-    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
-    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, defaultPin);
-    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
-    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, defaultPin);
 
     for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
 
       char[] invalidPin = "999999".toCharArray();
       int numInvalidTries = 2;
-      TestInvalidPINProvider invalidPinProvider = new TestInvalidPINProvider(invalidPin, numInvalidTries);
+      InvalidPINProvider invalidPinProvider = new InvalidPINProvider(invalidPin, numInvalidTries);
       try {
         signatureCard.verifyPIN(pinSpec, invalidPinProvider);
       } catch (CancelledException ex) {
@@ -315,21 +325,15 @@ public class STARCOSCardTest extends CardTest {
   public void testChangeInvalidPin() throws CardNotSupportedException,
       LockedException, NotActivatedException, CancelledException,
       PINFormatException, SignatureCardException, InterruptedException {
-    char[] defaultPin = "123456".toCharArray();
 
     PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard();
-    CardEmul card = (CardEmul) signatureCard.getCard();
-    STARCOSCardChannelEmul channel = (STARCOSCardChannelEmul) card.getBasicChannel();
-    channel.setPin(STARCOSCardChannelEmul.KID_PIN_Glob, defaultPin);
-    STARCOSApplSichereSignatur appl = (STARCOSApplSichereSignatur) card.getApplication(STARCOSApplSichereSignatur.AID_SichereSignatur);
-    appl.setPin(STARCOSApplSichereSignatur.KID_PIN_SS, defaultPin);
-
+    
     for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
 
       char[] invalidPin = "999999".toCharArray();
       int numInvalidTries = 2;
-      TestInvalidChangePINProvider invalidPinProvider =
-              new TestInvalidChangePINProvider(invalidPin, defaultPin, numInvalidTries);
+      InvalidChangePINProvider invalidPinProvider =
+              new InvalidChangePINProvider(invalidPin, invalidPin, numInvalidTries);
 
       try {
         signatureCard.changePIN(pinSpec, invalidPinProvider);
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardChannelEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardChannelEmul.java
new file mode 100644
index 00000000..dc6836ae
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardChannelEmul.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.starcos;
+
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.File;
+import at.gv.egiz.smcc.PIN;
+
+/**
+ *
+ * @author clemens
+ */
+public class STARCOSG3CardChannelEmul extends STARCOSCardChannelEmul {
+
+  public STARCOSG3CardChannelEmul(CardEmul cardEmul, byte[] Glob_PIN, int PIN_STATE) {
+    super(cardEmul, Glob_PIN, PIN_STATE);
+
+    // G3 version file
+    byte[] versionFileFID = new byte[]{(byte) 0x00, (byte) 0x32};
+    byte[] versionFile = new byte[]{
+      (byte) 0xa5, (byte) 0x0e, (byte) 0x53, (byte) 0x02, (byte) 0x01, (byte) 0x20, (byte) 0x54, (byte) 0x08,
+      (byte) 0x01, (byte) 0x01, (byte) 0x03, (byte) 0x01, (byte) 0x04, (byte) 0x01, (byte) 0x70, (byte) 0x01};
+    byte[] versionFileFCX = new byte[]{
+      (byte) 0x62, (byte) 0x1a, (byte) 0x80, (byte) 0x02, (byte) 0x00, (byte) 0x14, (byte) 0x82, (byte) 0x05,
+      (byte) 0x44, (byte) 0x41, (byte) 0x00, (byte) 0x14, (byte) 0x01, (byte) 0x83, (byte) 0x02, (byte) 0x00,
+      (byte) 0x32, (byte) 0x88, (byte) 0x01, (byte) 0xd8, (byte) 0x8a, (byte) 0x01, (byte) 0x05, (byte) 0xa1,
+      (byte) 0x03, (byte) 0x8b, (byte) 0x01, (byte) 0x03};
+
+    globalFiles.add(new File(versionFileFID, versionFile, versionFileFCX));
+
+  }
+ }
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardEmul.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardEmul.java
new file mode 100644
index 00000000..7583b3ad
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardEmul.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.smcc.starcos;
+
+import at.gv.egiz.smcc.CardEmul;
+import javax.smartcardio.ATR;
+
+import at.gv.egiz.smcc.PIN;
+
+@SuppressWarnings("restriction")
+public class STARCOSG3CardEmul extends CardEmul {
+
+  public static byte[] TRANSPORT_SS_PIN = new byte[] { (byte) 0x26, (byte) 0x12, (byte) 0x34, (byte) 0x56, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+  public static byte[] TRANSPORT_Glob_PIN = new byte[] { (byte) 0x24, (byte) 0x12, (byte) 0x34, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+
+  public static byte[] DEFAULT_SS_PIN = TRANSPORT_SS_PIN;
+  public static byte[] DEFAULT_Glob_PIN = new byte[] { (byte) 0x24, (byte) 0x00, (byte) 0x00, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+
+  protected static ATR ATR = new ATR(new byte[] {
+      (byte) 0x3b, (byte) 0xbd, (byte) 0x18, (byte) 0x00, (byte) 0x81, (byte) 0x31, (byte) 0xfe, (byte) 0x45,
+      (byte) 0x80, (byte) 0x51, (byte) 0x02, (byte) 0x67, (byte) 0x05, (byte) 0x18, (byte) 0xb1, (byte) 0x02,
+      (byte) 0x02, (byte) 0x02, (byte) 0x01, (byte) 0x81, (byte) 0x05, (byte) 0x31
+  });
+
+  public STARCOSG3CardEmul(byte[] SS_PIN, byte[] Glob_PIN, int PIN_STATE){
+    channel = new STARCOSG3CardChannelEmul(this, Glob_PIN, PIN_STATE);
+    applications.add(new STARCOSApplSichereSignatur((STARCOSCardChannelEmul) channel,
+            SS_PIN, PIN_STATE));
+    applications.add(new STARCOSApplInfobox((STARCOSCardChannelEmul) channel));
+    applications.add(new STARCOSApplGewoehnlicheSignatur((STARCOSCardChannelEmul) channel,
+            STARCOSApplGewoehnlicheSignatur.DST_G3));
+  }
+
+
+  public STARCOSG3CardEmul() {
+    this(DEFAULT_SS_PIN, DEFAULT_Glob_PIN, PIN.STATE_RESET);
+  }
+
+  @Override
+  public ATR getATR() {
+    return ATR;
+  }
+}
diff --git a/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardTest.java
new file mode 100644
index 00000000..06744c82
--- /dev/null
+++ b/smcc/src/test/java/at/gv/egiz/smcc/starcos/STARCOSG3CardTest.java
@@ -0,0 +1,119 @@
+/*
+* Copyright 2008 Federal Chancellery Austria and
+* Graz University of Technology
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*     http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package at.gv.egiz.smcc.starcos;
+
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+
+
+import org.junit.Test;
+
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.CardEmul;
+import at.gv.egiz.smcc.CardNotSupportedException;
+import at.gv.egiz.smcc.CardTerminalEmul;
+import at.gv.egiz.smcc.CardTest;
+import at.gv.egiz.smcc.pin.gui.ChangePINProvider;
+import at.gv.egiz.smcc.LockedException;
+import at.gv.egiz.smcc.NotActivatedException;
+import at.gv.egiz.smcc.PIN;
+import at.gv.egiz.smcc.PINFormatException;
+import at.gv.egiz.smcc.PINMgmtSignatureCard;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.SignatureCard;
+import at.gv.egiz.smcc.SignatureCardException;
+import at.gv.egiz.smcc.SignatureCardFactory;
+import at.gv.egiz.smcc.pin.gui.SMCCTestPINProvider;
+import org.junit.Ignore;
+
+public class STARCOSG3CardTest extends CardTest {
+
+  @Override
+  protected SignatureCard createSignatureCard()
+      throws CardNotSupportedException {
+    SignatureCardFactory factory = SignatureCardFactory.getInstance();
+    STARCOSG3CardEmul card = new STARCOSG3CardEmul();
+    SignatureCard signatureCard = factory.createSignatureCard(card,
+        new CardTerminalEmul(card));
+    assertTrue(signatureCard instanceof PINMgmtSignatureCard);
+    return signatureCard;
+  }
+
+  protected SignatureCard createSignatureCard(byte[] SS_PIN, byte[] Glob_PIN, int pinState)
+      throws CardNotSupportedException {
+    SignatureCardFactory factory = SignatureCardFactory.getInstance();
+    STARCOSG3CardEmul card = new STARCOSG3CardEmul(SS_PIN, Glob_PIN, pinState);
+    SignatureCard signatureCard = factory.createSignatureCard(card,
+        new CardTerminalEmul(card));
+    assertTrue(signatureCard instanceof PINMgmtSignatureCard);
+    return signatureCard;
+  }
+
+  @Test
+  public void testChangePin() throws CardNotSupportedException,
+      LockedException, NotActivatedException, CancelledException,
+      PINFormatException, SignatureCardException, InterruptedException {
+
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard(
+            STARCOSG3CardEmul.DEFAULT_SS_PIN, STARCOSG3CardEmul.DEFAULT_SS_PIN, PIN.STATE_RESET);
+    
+    for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
+
+      char[] pin = "123456".toCharArray();
+
+      for (int i = pinSpec.getMinLength(); i <= pinSpec.getMaxLength(); i++) {
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(pin));
+        char[] newPin = new char[i];
+        Arrays.fill(newPin, '0');
+        signatureCard
+            .changePIN(pinSpec, new ChangePINProvider(pin, newPin));
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(newPin));
+        pin = newPin;
+      }
+    }
+  }
+
+  @Test
+  @Override
+  public void testActivatePin() throws CardNotSupportedException,
+      LockedException, NotActivatedException, CancelledException,
+      PINFormatException, SignatureCardException, InterruptedException {
+
+    PINMgmtSignatureCard signatureCard = (PINMgmtSignatureCard) createSignatureCard(
+            STARCOSG3CardEmul.TRANSPORT_SS_PIN, STARCOSG3CardEmul.TRANSPORT_SS_PIN, PIN.STATE_PIN_NOTACTIVE);
+    
+    for (PINSpec pinSpec : signatureCard.getPINSpecs()) {
+
+      char[] pin = "123456789".substring(0, pinSpec.getMinLength()).toCharArray();
+      char[] transportPIN = "123456".toCharArray();
+
+      boolean notActive = false;
+      try {
+        signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(pin));
+      } catch (NotActivatedException ex) {
+        notActive = true;
+      }
+      assertTrue(notActive);
+
+      signatureCard.activatePIN(pinSpec, new ChangePINProvider(transportPIN, pin));
+      signatureCard.verifyPIN(pinSpec, new SMCCTestPINProvider(pin));
+    }
+  }
+
+  
+}
diff --git a/smccSTAL/src/main/java/META-INF/MANIFEST.MF b/smccSTAL/src/main/java/META-INF/MANIFEST.MF
deleted file mode 100644
index 5e949512..00000000
--- a/smccSTAL/src/main/java/META-INF/MANIFEST.MF
+++ /dev/null
@@ -1,3 +0,0 @@
-Manifest-Version: 1.0
-Class-Path: 
-
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/AbstractPINProvider.java b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/AbstractPINProvider.java
new file mode 100644
index 00000000..00738188
--- /dev/null
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/AbstractPINProvider.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package at.gv.egiz.bku.pin.gui;
+
+import at.gv.egiz.smcc.pin.gui.PINProvider;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * common super class providing action listener for all PIN GUIs
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public abstract class AbstractPINProvider implements ActionListener {
+
+  protected static final Log log = LogFactory.getLog(AbstractPINProvider.class);
+
+  protected String action;
+  protected boolean actionPerformed;
+
+  protected synchronized void waitForAction() throws InterruptedException {
+    try {
+      while (!actionPerformed) {
+        this.wait();
+      }
+    } catch (InterruptedException e) {
+      log.error("[" + Thread.currentThread().getName() + "] interrupt in waitForAction");
+      throw e;
+    }
+    actionPerformed = false;
+  }
+
+  private synchronized void actionPerformed() {
+    actionPerformed = true;
+    notify();//All();
+  }
+
+  @Override
+  public void actionPerformed(ActionEvent e) {
+    log.debug("[" + Thread.currentThread().getName() + "] action performed - " + e.getActionCommand());
+    action = e.getActionCommand();
+    actionPerformed();
+  }
+}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/SignPINGUI.java b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/SignPINGUI.java
new file mode 100644
index 00000000..81db0e90
--- /dev/null
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/SignPINGUI.java
@@ -0,0 +1,136 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.pin.gui;
+
+import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.bku.smccstal.SecureViewer;
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
+import at.gv.egiz.stal.signedinfo.SignedInfoType;
+import java.security.DigestException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * The number of retries is not fixed and there is no way (?) to obtain this value.
+ * A PINProvider should therefore maintain an internal retry counter or flag
+ * to decide whether or not to warn the user (num retries passed in providePIN).
+ *
+ * Therefore PINProvider objects should not be reused.
+ *
+ * (ACOS: reload counter: between 0 and 15, where 15 meens deactivated)
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class SignPINGUI extends SignPINProvider implements PINGUI {
+
+  protected static final Log log = LogFactory.getLog(SignPINGUI.class);
+
+  private boolean retry = false;
+
+  public SignPINGUI(BKUGUIFacade gui, SecureViewer viewer, SignedInfoType signedInfo) {
+    super(gui, viewer, signedInfo);
+  }
+
+  @Override
+  public void enterPINDirect(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    if (retry) {
+      gui.showEnterPINDirect(spec, retries);
+    } else {
+      showSignatureData(spec);
+      gui.showEnterPINDirect(spec, -1);
+      retry = true;
+    }
+  }
+
+  @Override
+  public void enterPIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+    if (retry) {
+      gui.showEnterPIN(spec, retries);
+    } else {
+      showSignatureData(spec);
+      gui.showEnterPIN(spec, -1);
+      retry = true;
+    }
+  }
+
+  private void showSignatureData(PINSpec spec)
+          throws CancelledException, InterruptedException {
+
+    gui.showSignatureDataDialog(spec,
+            this, "enterPIN",
+            this, "cancel",
+            this, "secureViewer");
+
+    do {
+      log.trace("[" + Thread.currentThread().getName() + "] wait for action");
+      waitForAction();
+      log.trace("[" + Thread.currentThread().getName() + "] received action " + action);
+
+      if ("secureViewer".equals(action)) {
+        try {
+          viewer.displayDataToBeSigned(signedInfo, this, "signatureData");
+        } catch (DigestException ex) {
+          log.error("Bad digest value: " + ex.getMessage());
+          gui.showErrorDialog(BKUGUIFacade.ERR_INVALID_HASH,
+                  new Object[]{ex.getMessage()},
+                  this, "error");
+        } catch (Exception ex) {
+          log.error("Could not display hashdata inputs: " +
+                  ex.getMessage());
+          gui.showErrorDialog(BKUGUIFacade.ERR_DISPLAY_HASHDATA,
+                  new Object[]{ex.getMessage()},
+                  this, "error");
+        }
+      } else if ("signatureData".equals(action)) {
+        gui.showSignatureDataDialog(spec,
+                this, "enterPIN",
+                this, "cancel",
+                this, "secureViewer");
+      } else if ("enterPIN".equals(action)) {
+        return;
+      } else if ("cancel".equals(action) ||
+              "error".equals(action)) {
+        gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+                BKUGUIFacade.MESSAGE_WAIT);
+        throw new CancelledException(spec.getLocalizedName() +
+                " entry cancelled");
+      } else {
+        log.error("unknown action command " + action);
+      }
+    } while (true);
+  }
+
+  @Override
+  public void validKeyPressed() {
+    gui.validKeyPressed();
+  }
+
+  @Override
+  public void correctionButtonPressed() {
+    gui.correctionButtonPressed();
+  }
+
+  @Override
+  public void allKeysCleared() {
+    gui.allKeysCleared();
+  }
+
+}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/SignPINProvider.java b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/SignPINProvider.java
new file mode 100644
index 00000000..fc1d39af
--- /dev/null
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/SignPINProvider.java
@@ -0,0 +1,105 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.pin.gui;
+
+import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.bku.smccstal.SecureViewer;
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.pin.gui.PINProvider;
+import at.gv.egiz.stal.signedinfo.SignedInfoType;
+import java.security.DigestException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * The number of retries is not fixed and there is no way (?) to obtain this value.
+ * A PINProvider should therefore maintain an internal retry counter or flag
+ * to decide whether or not to warn the user (num retries passed in providePIN).
+ *
+ * Therefore PINProvider objects should not be reused.
+ *
+ * (ACOS: reload counter: between 0 and 15, where 15 meens deactivated)
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class SignPINProvider extends AbstractPINProvider implements PINProvider {
+
+  protected static final Log log = LogFactory.getLog(SignPINProvider.class);
+
+  protected BKUGUIFacade gui;
+  protected SecureViewer viewer;
+  protected SignedInfoType signedInfo;
+  private boolean retry = false;
+
+  public SignPINProvider(BKUGUIFacade gui, SecureViewer viewer, SignedInfoType signedInfo) {
+    this.gui = gui;
+    this.viewer = viewer;
+    this.signedInfo = signedInfo;
+  }
+
+  @Override
+  public char[] providePIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+
+    gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
+            this, "sign",
+            this, "cancel",
+            this, "secureViewer");
+
+    do {
+      log.trace("[" + Thread.currentThread().getName() + "] wait for action");
+      waitForAction();
+      log.trace("[" + Thread.currentThread().getName() + "] received action " + action);
+
+      if ("secureViewer".equals(action)) {
+        try {
+          viewer.displayDataToBeSigned(signedInfo, this, "pinEntry");
+        } catch (DigestException ex) {
+          log.error("Bad digest value: " + ex.getMessage());
+          gui.showErrorDialog(BKUGUIFacade.ERR_INVALID_HASH,
+                  new Object[]{ex.getMessage()},
+                  this, "error");
+        } catch (Exception ex) {
+          log.error("Could not display hashdata inputs: " +
+                  ex.getMessage());
+          gui.showErrorDialog(BKUGUIFacade.ERR_DISPLAY_HASHDATA,
+                  new Object[]{ex.getMessage()},
+                  this, "error");
+        }
+      } else if ("sign".equals(action)) {
+        gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+                BKUGUIFacade.MESSAGE_WAIT);
+        retry = true;
+        return gui.getPin();
+      } else if ("pinEntry".equals(action)) {
+        gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
+                this, "sign",
+                this, "cancel",
+                this, "secureViewer");
+      } else if ("cancel".equals(action) ||
+              "error".equals(action)) {
+        gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+                BKUGUIFacade.MESSAGE_WAIT);
+        throw new CancelledException(spec.getLocalizedName() +
+                " entry cancelled");
+      } else {
+        log.error("unknown action command " + action);
+      }
+    } while (true);
+  }
+}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/VerifyPINGUI.java b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/VerifyPINGUI.java
new file mode 100644
index 00000000..dc21492e
--- /dev/null
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/VerifyPINGUI.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.pin.gui;
+
+import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * The number of retries is not fixed and there is no way (?) to obtain this value.
+ * A PINProvider should therefore maintain an internal retry counter or flag
+ * to decide whether or not to warn the user (num retries passed in providePIN).
+ *
+ * Therefore PINProvider objects should not be reused.
+ *
+ * (ACOS: reload counter: between 0 and 15, where 15 meens deactivated)
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class VerifyPINGUI extends VerifyPINProvider implements PINGUI {
+
+  protected static final Log log = LogFactory.getLog(VerifyPINGUI.class);
+
+  private boolean retry = false;
+
+  public VerifyPINGUI(BKUGUIFacade gui) {
+    super(gui);
+  }
+
+  @Override
+  public void enterPINDirect(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {    
+    gui.showEnterPINDirect(spec, (retry) ? retries : -1);
+    retry = true;
+  }
+
+  @Override
+  public void enterPIN(PINSpec spec, int retries) {
+    gui.showEnterPIN(spec, (retry) ? retries : -1);
+    retry = true;
+  }
+
+
+  @Override
+  public void validKeyPressed() {
+    gui.validKeyPressed();
+  }
+
+  @Override
+  public void correctionButtonPressed() {
+    gui.correctionButtonPressed();
+  }
+
+  @Override
+  public void allKeysCleared() {
+    gui.allKeysCleared();
+  }
+
+}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/VerifyPINProvider.java b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/VerifyPINProvider.java
new file mode 100644
index 00000000..fda1e402
--- /dev/null
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/pin/gui/VerifyPINProvider.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.pin.gui;
+
+import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.pin.gui.PINProvider;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * The number of retries is not fixed and there is no way (?) to obtain this value.
+ * A PINProvider should therefore maintain an internal retry counter or flag
+ * to decide whether or not to warn the user (num retries passed in providePIN).
+ *
+ * Therefore PINProvider objects should not be reused.
+ *
+ * (ACOS: reload counter: between 0 and 15, where 15 meens deactivated)
+ *
+ * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
+ */
+public class VerifyPINProvider extends AbstractPINProvider implements PINProvider {
+
+  protected static final Log log = LogFactory.getLog(VerifyPINProvider.class);
+
+  protected BKUGUIFacade gui;
+  private boolean retry = false;
+
+  public VerifyPINProvider(BKUGUIFacade gui) {
+    this.gui = gui;
+  }
+
+  @Override
+  public char[] providePIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+
+    gui.showVerifyPINDialog(spec, (retry) ? retries : -1,
+            this, "verify",
+            this, "cancel");
+
+    log.trace("[" + Thread.currentThread().getName() + "] wait for action");
+    waitForAction();
+    log.trace("[" + Thread.currentThread().getName() + "] received action " + action);
+
+    if ("cancel".equals(action)) {
+      gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+              BKUGUIFacade.MESSAGE_WAIT);
+      throw new CancelledException(spec.getLocalizedName() +
+              " entry cancelled");
+    }
+    
+    gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+            BKUGUIFacade.MESSAGE_WAIT);
+    retry = true;
+    return gui.getPin();
+  }
+}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractPINProvider.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractPINProvider.java
deleted file mode 100644
index bc52c955..00000000
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/AbstractPINProvider.java
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *     http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package at.gv.egiz.bku.smccstal;
-
-import at.gv.egiz.smcc.PINProvider;
-import java.awt.event.ActionEvent;
-import java.awt.event.ActionListener;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-/**
- *
- * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
- */
-public abstract class AbstractPINProvider implements PINProvider, ActionListener {
-
-  protected static final Log log = LogFactory.getLog(AbstractPINProvider.class);
-
-  protected boolean retry = false;
-
-  protected String action;
-
-  protected boolean actionPerformed;
-
-//  protected void waitForAction() throws InterruptedException {
-//    super.wait();
-//  }
-
-  protected synchronized void waitForAction() throws InterruptedException {
-    try {
-      while (!actionPerformed) {
-        this.wait();
-      }
-    } catch (InterruptedException e) {
-      log.error("[" + Thread.currentThread().getName() + "] interrupt in waitForAction");
-      throw e;
-    }
-    actionPerformed = false;
-  }
-
-  private synchronized void actionPerformed() {
-    actionPerformed = true;
-    notify();//All();
-  }
-
-  @Override
-  public void actionPerformed(ActionEvent e) {
-    log.debug("[" + Thread.currentThread().getName() + "] action performed - " + e.getActionCommand());
-    action = e.getActionCommand();
-    actionPerformed();
-  }
-}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
index 32e990c5..b34ab862 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java
@@ -17,14 +17,13 @@
 package at.gv.egiz.bku.smccstal;
 
 import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.bku.pin.gui.VerifyPINGUI;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import at.gv.egiz.smcc.CancelledException;
 import at.gv.egiz.smcc.LockedException;
 import at.gv.egiz.smcc.NotActivatedException;
-import at.gv.egiz.smcc.PINProvider;
-import at.gv.egiz.smcc.PINSpec;
 import at.gv.egiz.smcc.SignatureCard;
 import at.gv.egiz.smcc.SignatureCardException;
 import at.gv.egiz.stal.ErrorResponse;
@@ -49,8 +48,7 @@ public class InfoBoxReadRequestHandler extends AbstractRequestHandler {
           newSTALMessage("Message.RequestCaption", "Message.IdentityLink");
           log.debug("Handling identitylink infobox");
           byte[] resp = card.getInfobox(infoBox.getInfoboxIdentifier(),
-                  new PINProviderFactory(card.getReader(), gui)
-                  .getCardPINProvider(),
+                  new VerifyPINGUI(gui),
                   infoBox.getDomainIdentifier());
           if (resp == null) {
             log.info("Infobox doesn't contain any data. Assume card is not activated.");
@@ -97,8 +95,7 @@ public class InfoBoxReadRequestHandler extends AbstractRequestHandler {
           log.warn("Unknown infobox identifier: "
               + infoBox.getInfoboxIdentifier() + " trying generic request");
           byte[] resp = card.getInfobox(infoBox.getInfoboxIdentifier(),
-                  new PINProviderFactory(card.getReader(), gui)
-                  .getCardPINProvider(),
+                  new VerifyPINGUI(gui),
                   infoBox.getDomainIdentifier());
           if (resp == null) {
             return new ErrorResponse(6001);
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PINProviderFactory.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PINProviderFactory.java
deleted file mode 100644
index e5afe0ae..00000000
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/PINProviderFactory.java
+++ /dev/null
@@ -1,327 +0,0 @@
-/*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *     http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package at.gv.egiz.bku.smccstal;
-
-import at.gv.egiz.bku.gui.BKUGUIFacade;
-import at.gv.egiz.smcc.CancelledException;
-import at.gv.egiz.smcc.ccid.CCID;
-import at.gv.egiz.smcc.PINProvider;
-import at.gv.egiz.smcc.PINSpec;
-import at.gv.egiz.stal.signedinfo.SignedInfoType;
-import java.security.DigestException;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-/**
- * don't reuse the instance if the card reader might have changed!
- * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
- */
-public class PINProviderFactory {
-
-  protected static final Log log = LogFactory.getLog(PINProviderFactory.class);
-
-  protected CCID reader;
-  protected BKUGUIFacade gui;
-
-  /**
-   * don't reuse the instance if the card reader might have changed!
-   * @param reader
-   * @param gui
-   */
-  public PINProviderFactory(CCID reader, BKUGUIFacade gui) {
-    log.trace("PINProviderFactory for " + reader.getName());
-    this.reader = reader;
-    this.gui = gui;
-  }
-
-
-  
-//  public static PINProviderFactory getInstance(SignatureCard forCard,
-//          BKUGUIFacade gui) {
-//    if (forCard.getReader().hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT) ||
-//            forCard.getReader().hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
-//      return new PinpadPINProviderFactory(gui);
-//    } else {
-//      return new SoftwarePINProviderFactory(gui);
-//    }
-//  }
-
-  /**
-   * don't reuse the instance if the card reader might have changed!
-   * @param reader
-   * @param gui
-   * @return
-   */
-//  public static PINProviderFactory getInstance(CCID reader, BKUGUIFacade gui) {
-//    log.trace("PINProviderFactory for " + reader.getName());
-//    return new PINProviderFactory(reader, gui);
-//  }
-
-  public PINProvider getSignaturePINProvider(SecureViewer viewer,
-          SignedInfoType signedInfo) {
-    if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_START) ||
-            reader.hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
-      log.debug("pinpad signature-pin provider");
-      return new PinpadSignaturePinProvider(viewer, signedInfo);
-    } else {
-      log.debug("software signature-pin provider");
-      return new SoftwareSignaturePinProvider(viewer, signedInfo);
-    }
-  }
-
-  public PINProvider getCardPINProvider() {
-    if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_START) ||
-            reader.hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
-      log.debug("pinpad card-pin provider");
-      return new PinpadCardPinProvider();
-    } else {
-      log.debug("software card-pin provider");
-      return new SoftwareCardPinProvider();
-    }
-  }
-
-  class SoftwareSignaturePinProvider extends AbstractPINProvider {
-
-    protected SecureViewer viewer;
-    protected SignedInfoType signedInfo;
-
-    private SoftwareSignaturePinProvider(SecureViewer viewer,
-            SignedInfoType signedInfo) {
-      this.viewer = viewer;
-      this.signedInfo = signedInfo;
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-            throws CancelledException, InterruptedException {
-
-      gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
-              this, "sign",
-              this, "cancel",
-              this, "secureViewer");
-
-      do {
-        log.debug("[" + Thread.currentThread().getName() + "] wait for action");
-        waitForAction();
-        log.debug("[" + Thread.currentThread().getName() + "] received action");
-
-        if ("secureViewer".equals(action)) {
-          try {
-            viewer.displayDataToBeSigned(signedInfo, this, "pinEntry");
-          } catch (DigestException ex) {
-            log.error("Bad digest value: " + ex.getMessage());
-            gui.showErrorDialog(BKUGUIFacade.ERR_INVALID_HASH,
-                    new Object[]{ex.getMessage()},
-                    this, "error");
-          } catch (Exception ex) {
-            log.error("Could not display hashdata inputs: " +
-                    ex.getMessage());
-            gui.showErrorDialog(BKUGUIFacade.ERR_DISPLAY_HASHDATA,
-                    new Object[]{ex.getMessage()},
-                    this, "error");
-          }
-        } else if ("sign".equals(action)) {
-          gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
-                BKUGUIFacade.MESSAGE_WAIT);
-          retry = true;
-          return gui.getPin();
-        } else if ("pinEntry".equals(action)) {
-          gui.showSignaturePINDialog(spec, (retry) ? retries : -1,
-                  this, "sign",
-                  this, "cancel",
-                  this, "secureViewer");
-        } else if ("cancel".equals(action) ||
-                "error".equals(action)) {
-          gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
-                BKUGUIFacade.MESSAGE_WAIT);
-          throw new CancelledException(spec.getLocalizedName() +
-                  " entry cancelled");
-        } else {
-          log.error("unknown action command " + action);
-        }
-      } while (true);
-    }
-  }
-
-  class SoftwareCardPinProvider extends AbstractPINProvider {
-
-    private SoftwareCardPinProvider() {
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-            throws CancelledException, InterruptedException {
-
-      gui.showCardPINDialog(spec, (retry) ? retries : -1,
-              this, "ok",
-              this, "cancel");
-
-      log.debug("[" + Thread.currentThread().getName() + "] wait for action");
-      waitForAction();
-
-      gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
-              BKUGUIFacade.MESSAGE_WAIT);
-
-      if ("cancel".equals(action)) {
-        throw new CancelledException(spec.getLocalizedName() +
-                  " entry cancelled");
-      }
-      retry = true;
-      return gui.getPin();
-    }
-  }
-
-    class PinpadSignaturePinProvider extends AbstractPINProvider {
-
-//    protected BKUGUIFacade gui;
-    protected SecureViewer viewer;
-    protected ViewerThread viewerThread;
-    protected SignedInfoType signedInfo;
-
-
-    private PinpadSignaturePinProvider(SecureViewer viewer,
-            SignedInfoType signedInfo) {
-      this.viewer = viewer;
-      this.signedInfo = signedInfo;
-    }
-
-    protected class ViewerThread extends Thread {
-
-      PINSpec pinSpec;
-      int retries;
-
-      public ViewerThread(PINSpec pinSpec, int retries) {
-        this.pinSpec = pinSpec;
-        this.retries = retries;
-      }
-
-      @Override
-      public void run() {
-
-        try {
-
-          gui.showPinpadSignaturePINDialog(pinSpec, retries,
-              PinpadSignaturePinProvider.this, "secureViewer");
-
-          while (true) {
-            log.debug("[" + Thread.currentThread().getName() + "] wait for action");
-            waitForAction();
-            log.debug("[" + Thread.currentThread().getName() + "] received action");
-
-            if ("secureViewer".equals(action)) {
-              viewer.displayDataToBeSigned(signedInfo,
-                      PinpadSignaturePinProvider.this, "pinEntry");
-            } else if ("pinEntry".equals(action)) {
-              gui.showPinpadSignaturePINDialog(pinSpec, retries,
-                      PinpadSignaturePinProvider.this, "secureViewer");
-            } else {
-              log.error("unsupported action command: " + action);
-            }
-          }
-
-        } catch (DigestException ex) {
-          log.error("Bad digest value: " + ex.getMessage());
-          gui.showErrorDialog(BKUGUIFacade.ERR_INVALID_HASH,
-                  new Object[]{ex.getMessage()});
-        } catch (InterruptedException ex) {
-          log.info("pinpad secure viewer thread interrupted");
-        } catch (Exception ex) {
-          log.error("Could not display hashdata inputs: " +
-                  ex.getMessage());
-          gui.showErrorDialog(BKUGUIFacade.ERR_DISPLAY_HASHDATA,
-                  new Object[]{ex.getMessage()});
-        }
-      }
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-            throws CancelledException, InterruptedException {
-
-      if (viewerThread != null) {
-        updateViewerThread(retries);
-      } else {
-        viewerThread = new ViewerThread(spec, -1);
-        viewerThread.start();
-      }
-//      if (viewerThread != null) {
-//        log.trace("interrupt old secure viewer thread");
-//        viewerThread.interrupt();
-//      }
-//      viewerThread = new ViewerThread(spec, (retry) ? retries : -1);
-//      log.trace("start new secure viewer thread");
-//      viewerThread.start();
-
-      retry = true;
-      return null;
-    }
-
-    private synchronized void updateViewerThread(int retries) {
-      log.trace("update viewer thread");
-      viewerThread.retries = retries;
-      action = "pinEntry";
-      actionPerformed = true;
-      notify();
-    }
-
-
-//    @Override
-//    protected void finalize() throws Throwable {
-//      if (viewerThread != null) {
-//        viewerThread.interrupt();
-//      }
-//      log.info("finalizing Pinpad SignaturePinProvider");
-//      super.finalize();
-//    }
-  }
-
-  class PinpadCardPinProvider extends AbstractPINProvider {
-
-    private PinpadCardPinProvider() {
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-            throws CancelledException, InterruptedException {
-
-      showPinpadPINDialog(retries, spec);
-      retry = true;
-      return null;
-
-    }
-
-    private void showPinpadPINDialog(int retries, PINSpec pinSpec) {
-      String title, message;
-      Object[] params;
-      if (retry) {
-        title = BKUGUIFacade.TITLE_RETRY;
-        message = BKUGUIFacade.MESSAGE_RETRIES;
-        params = new Object[]{String.valueOf(retries)};
-      } else {
-        title = BKUGUIFacade.TITLE_CARDPIN;
-        message = BKUGUIFacade.MESSAGE_ENTERPIN_PINPAD;
-        String pinSize = String.valueOf(pinSpec.getMinLength());
-        if (pinSpec.getMinLength() != pinSpec.getMaxLength()) {
-          pinSize += "-" + pinSpec.getMaxLength();
-        }
-        params = new Object[]{pinSpec.getLocalizedName(), pinSize};
-      }
-      gui.showMessageDialog(title, message, params);
-    }
-  }
-}
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
index 58d7b305..5b436d16 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
@@ -17,6 +17,7 @@
 package at.gv.egiz.bku.smccstal;
 
 import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.bku.pin.gui.SignPINGUI;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -78,8 +79,7 @@ public class SignRequestHandler extends AbstractRequestHandler {
                 KeyboxName kb = SignatureCard.KeyboxName.getKeyboxName(signReq.getKeyIdentifier());
 
                 byte[] resp = card.createSignature(new ByteArrayInputStream(signReq.getSignedInfo()), kb,
-                        new PINProviderFactory(card.getReader(), gui)
-                        .getSignaturePINProvider(secureViewer, si.getValue()), signatureMethod);
+                        new SignPINGUI(gui, secureViewer, si.getValue()), signatureMethod);
                 if (resp == null) {
                     return new ErrorResponse(6001);
                 }
diff --git a/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java b/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
index 16d3efa9..bf57b0a6 100644
--- a/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
+++ b/smccSTAL/src/test/java/at/gv/egiz/smcc/AbstractSMCCSTALTest.java
@@ -16,7 +16,7 @@ import org.junit.Test;
 import at.gv.egiz.bku.gui.BKUGUIFacade;
 import at.gv.egiz.bku.smccstal.AbstractSMCCSTAL;
 import at.gv.egiz.bku.smccstal.SMCCSTALRequestHandler;
-import at.gv.egiz.smcc.ccid.CCID;
+import at.gv.egiz.smcc.pin.gui.PINGUI;
 import at.gv.egiz.stal.ErrorResponse;
 import at.gv.egiz.stal.InfoboxReadRequest;
 import at.gv.egiz.stal.InfoboxReadResponse;
@@ -39,7 +39,7 @@ public class AbstractSMCCSTALTest extends AbstractSMCCSTAL implements
 
     @Override
     public byte[] createSignature(InputStream input, KeyboxName keyboxName,
-        PINProvider provider, String alg) throws SignatureCardException {
+        PINGUI provider, String alg) throws SignatureCardException {
       // TODO Auto-generated method stub
       return null;
     }
@@ -58,7 +58,7 @@ public class AbstractSMCCSTALTest extends AbstractSMCCSTAL implements
     }
 
     @Override
-    public byte[] getInfobox(String infobox, PINProvider provider,
+    public byte[] getInfobox(String infobox, PINGUI provider,
         String domainId) throws SignatureCardException {
       // TODO Auto-generated method stub
       return null;
@@ -87,13 +87,6 @@ public class AbstractSMCCSTALTest extends AbstractSMCCSTAL implements
       // TODO Auto-generated method stub
       
     }
-
-    @Override
-    public CCID getReader() {
-      // TODO Auto-generated method stub
-      return null;
-    }
-
    };
     return false;
   }
diff --git a/smccSTALExt/src/main/java/at/gv/egiz/bku/pin/gui/ManagementPINGUI.java b/smccSTALExt/src/main/java/at/gv/egiz/bku/pin/gui/ManagementPINGUI.java
new file mode 100644
index 00000000..26a24609
--- /dev/null
+++ b/smccSTALExt/src/main/java/at/gv/egiz/bku/pin/gui/ManagementPINGUI.java
@@ -0,0 +1,88 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.pin.gui;
+
+import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.bku.gui.PINManagementGUIFacade;
+import at.gv.egiz.bku.gui.PINManagementGUIFacade.DIALOG;
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.pin.gui.ModifyPINGUI;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class ManagementPINGUI extends ManagementPINProvider implements ModifyPINGUI {
+
+  protected static final Log log = LogFactory.getLog(ManagementPINGUI.class);
+
+  private boolean retry = false;
+
+  public ManagementPINGUI(PINManagementGUIFacade gui, DIALOG type) {
+    super(gui, type);
+  }
+
+  @Override
+  public void modifyPINDirect(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {    
+    gui.showModifyPINDirect(type, spec, (retry) ? retries : -1);
+    retry = true;
+  }
+
+  @Override
+  public void finishDirect() {
+    gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT, BKUGUIFacade.MESSAGE_WAIT);
+  }
+
+  @Override
+  public void enterCurrentPIN(PINSpec spec, int retries) {
+    gui.showEnterCurrentPIN(type, spec, (retry) ? retries : -1);
+    retry = true;
+  }
+
+  @Override
+  public void enterNewPIN(PINSpec spec) {
+    gui.showEnterNewPIN(type, spec);
+    retry = true;
+  }
+
+  @Override
+  public void confirmNewPIN(PINSpec spec) {
+    gui.showConfirmNewPIN(type, spec);
+    retry = true;
+  }
+
+
+  @Override
+  public void validKeyPressed() {
+    gui.validKeyPressed();
+  }
+
+  @Override
+  public void correctionButtonPressed() {
+    gui.correctionButtonPressed();
+  }
+
+  @Override
+  public void allKeysCleared() {
+    gui.allKeysCleared();
+  }
+
+  @Override
+  public void finish() {
+    gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT, BKUGUIFacade.MESSAGE_WAIT);
+  }
+}
diff --git a/smccSTALExt/src/main/java/at/gv/egiz/bku/pin/gui/ManagementPINProvider.java b/smccSTALExt/src/main/java/at/gv/egiz/bku/pin/gui/ManagementPINProvider.java
new file mode 100644
index 00000000..8d842d13
--- /dev/null
+++ b/smccSTALExt/src/main/java/at/gv/egiz/bku/pin/gui/ManagementPINProvider.java
@@ -0,0 +1,89 @@
+/*
+ * Copyright 2008 Federal Chancellery Austria and
+ * Graz University of Technology
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package at.gv.egiz.bku.pin.gui;
+
+import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.bku.gui.PINManagementGUIFacade;
+import at.gv.egiz.smcc.CancelledException;
+import at.gv.egiz.smcc.PINSpec;
+import at.gv.egiz.smcc.pin.gui.ModifyPINProvider;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class ManagementPINProvider extends AbstractPINProvider implements ModifyPINProvider {
+
+  protected static final Log log = LogFactory.getLog(ManagementPINProvider.class);
+  protected PINManagementGUIFacade gui;
+  protected PINManagementGUIFacade.DIALOG type;
+  private boolean retry = false;
+
+  public ManagementPINProvider(PINManagementGUIFacade gui, PINManagementGUIFacade.DIALOG type) {
+    this.gui = gui;
+    this.type = type;
+  }
+
+  @Override
+  public char[] provideCurrentPIN(PINSpec spec, int retries)
+          throws CancelledException, InterruptedException {
+
+    gui.showPINDialog(type, spec, (retry) ? retries : -1,
+            this, "change",
+            this, "cancel");
+
+    log.trace("[" + Thread.currentThread().getName() + "] wait for action");
+    waitForAction();
+    log.trace("[" + Thread.currentThread().getName() + "] received action " + action);
+
+    gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+            BKUGUIFacade.MESSAGE_WAIT);
+
+    if ("cancel".equals(action)) {
+      throw new CancelledException(spec.getLocalizedName() +
+              " entry cancelled");
+    }
+    retry = true;
+    return gui.getOldPin();
+  }
+
+  @Override
+  public char[] provideNewPIN(PINSpec spec)
+          throws CancelledException, InterruptedException {
+    
+    char[] pin = gui.getPin();
+    if (pin != null) {
+      // change pin dialog also returns new pin
+      return pin;
+    }
+
+    gui.showPINDialog(type, spec, -1,
+            this, "activate",
+            this, "cancel");
+
+    log.trace("[" + Thread.currentThread().getName() + "] wait for action");
+    waitForAction();
+    log.trace("[" + Thread.currentThread().getName() + "] received action " + action);
+
+    gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
+              BKUGUIFacade.MESSAGE_WAIT);
+
+    if ("cancel".equals(action)) {
+      throw new CancelledException(spec.getLocalizedName() +
+              " entry cancelled");
+    }
+    return gui.getPin();
+  }
+}
diff --git a/smccSTALExt/src/main/java/at/gv/egiz/bku/smccstal/ManagementPINProviderFactory.java b/smccSTALExt/src/main/java/at/gv/egiz/bku/smccstal/ManagementPINProviderFactory.java
deleted file mode 100644
index 493733b8..00000000
--- a/smccSTALExt/src/main/java/at/gv/egiz/bku/smccstal/ManagementPINProviderFactory.java
+++ /dev/null
@@ -1,246 +0,0 @@
-/*
- * Copyright 2008 Federal Chancellery Austria and
- * Graz University of Technology
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *     http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package at.gv.egiz.bku.smccstal;
-
-import at.gv.egiz.bku.gui.BKUGUIFacade;
-import at.gv.egiz.smcc.ChangePINProvider;
-import at.gv.egiz.bku.gui.PINManagementGUIFacade;
-import at.gv.egiz.bku.smccstal.AbstractPINProvider;
-import at.gv.egiz.bku.smccstal.PINProviderFactory;
-import at.gv.egiz.smcc.CancelledException;
-import at.gv.egiz.smcc.ccid.CCID;
-import at.gv.egiz.smcc.PINProvider;
-import at.gv.egiz.smcc.PINSpec;
-import at.gv.egiz.smcc.SignatureCard;
-
-/**
- *
- * @author Clemens Orthacker <clemens.orthacker@iaik.tugraz.at>
- */
-public class ManagementPINProviderFactory extends PINProviderFactory {
-
-  public ManagementPINProviderFactory(CCID reader, PINManagementGUIFacade gui) {
-    super(reader, gui);
-  }
-  
-//  public static ManagementPINProviderFactory getInstance(SignatureCard forCard,
-//          PINManagementGUIFacade gui) {
-//    if (forCard.getReader().hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
-//      return new PinpadPINProviderFactory(gui);
-//
-//    } else {
-//      return new SoftwarePINProviderFactory(gui);
-//    }
-//  }
-
-  public PINProvider getVerifyPINProvider() {
-    if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_START)) {
-      return new PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG.VERIFY);
-    } else if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
-      return new PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG.VERIFY);
-    } else {
-      return new SoftwareGenericPinProvider(PINManagementGUIFacade.DIALOG.VERIFY);
-    }
-  }
-
-  public PINProvider getActivatePINProvider() {
-    if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_START)) {
-      return new PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG.ACTIVATE);
-    } else if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_DIRECT)) {
-      return new PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG.ACTIVATE);
-    } else {
-      return new SoftwareGenericPinProvider(PINManagementGUIFacade.DIALOG.ACTIVATE);
-    }
-  }
-
-  public ChangePINProvider getChangePINProvider() {
-    if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_START)) {
-      return new PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG.CHANGE);
-    } else if (reader.hasFeature(CCID.FEATURE_MODIFY_PIN_DIRECT)) {
-      return new PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG.CHANGE);
-    } else {
-      return new ChangePinProvider();
-    }
-  }
-
-  public PINProvider getUnblockPINProvider() {
-    if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_START)) {
-      return new PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG.UNBLOCK);
-    } else if (reader.hasFeature(CCID.FEATURE_VERIFY_PIN_DIRECT)) {
-      return new PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG.UNBLOCK);
-    } else {
-      return new SoftwareGenericPinProvider(PINManagementGUIFacade.DIALOG.UNBLOCK);
-    }
-  }
-
-  class PinpadGenericPinProvider extends AbstractPINProvider
-          implements ChangePINProvider {
-
-    protected PINManagementGUIFacade.DIALOG type;
-
-    private PinpadGenericPinProvider(PINManagementGUIFacade.DIALOG type) {
-      this.type = type;
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-            throws CancelledException, InterruptedException {
-
-      showPinpadPINDialog(retries, spec);
-      retry = true;
-      return null;
-    }
-
-    /**
-     * do not call this method without calling providePIN()
-     * (no message is displayed)
-     * @param spec
-     * @param retries
-     * @return
-     */
-    @Override
-    public char[] provideOldPIN(PINSpec spec, int retries) {
-      return null;
-    }
-
-    private void showPinpadPINDialog(int retries, PINSpec pinSpec) {
-      String title, message;
-      Object[] params;
-      if (retry) {
-        if (retries == 1) {
-          message = BKUGUIFacade.MESSAGE_LAST_RETRY_PINPAD;
-        } else {
-          message = BKUGUIFacade.MESSAGE_RETRIES_PINPAD;
-        }
-        title = BKUGUIFacade.TITLE_RETRY;
-        params = new Object[]{String.valueOf(retries)};
-      } else if (type == PINManagementGUIFacade.DIALOG.VERIFY) {
-        title = PINManagementGUIFacade.TITLE_VERIFY_PIN;
-        message = BKUGUIFacade.MESSAGE_ENTERPIN_PINPAD;
-        params = new Object[]{pinSpec.getLocalizedName(), pinSpec.getLocalizedLength()};
-      } else if (type == PINManagementGUIFacade.DIALOG.ACTIVATE) {
-        title = PINManagementGUIFacade.TITLE_ACTIVATE_PIN;
-        message = PINManagementGUIFacade.MESSAGE_ACTIVATEPIN_PINPAD;
-        params = new Object[]{pinSpec.getLocalizedName(), pinSpec.getLocalizedLength()};
-      } else if (type == PINManagementGUIFacade.DIALOG.CHANGE) {
-        title = PINManagementGUIFacade.TITLE_CHANGE_PIN;
-        message = PINManagementGUIFacade.MESSAGE_CHANGEPIN_PINPAD;
-        params = new Object[]{pinSpec.getLocalizedName(), pinSpec.getLocalizedLength()};
-      } else { //if (type == DIALOG.UNBLOCK) {
-        title = PINManagementGUIFacade.TITLE_UNBLOCK_PIN;
-        message = PINManagementGUIFacade.MESSAGE_UNBLOCKPIN_PINPAD;
-        params = new Object[]{pinSpec.getLocalizedName(), pinSpec.getLocalizedLength()};
-      }
-      gui.showMessageDialog(title, message, params);
-    }
-  }
-
-
-  class SoftwareGenericPinProvider extends AbstractPINProvider {
-
-//    protected PINManagementGUIFacade gui;
-    protected PINManagementGUIFacade.DIALOG type;
-
-    private SoftwareGenericPinProvider(PINManagementGUIFacade.DIALOG type) {
-      this.type = type;
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-            throws CancelledException, InterruptedException {
-
-      ((PINManagementGUIFacade) gui).showPINDialog(type, spec,
-              (retry) ? retries : -1,
-              this, "exec",
-              this, "back");
-
-      waitForAction();
-
-      if ("exec".equals(action)) {
-        gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
-                BKUGUIFacade.MESSAGE_WAIT);
-        retry = true;
-        return gui.getPin();
-      } else if ("back".equals(action)) {
-        throw new CancelledException();
-      } else {
-        log.error("unsupported command " + action);
-        throw new CancelledException();
-      }
-    }
-  }
-
-  class ChangePinProvider extends AbstractPINProvider
-          implements ChangePINProvider {
-
-//    protected PINManagementGUIFacade gui;
-
-    private char[] oldPin;
-    private char[] newPin;
-
-    private ChangePinProvider() {
-    }
-
-    @Override
-    public char[] providePIN(PINSpec spec, int retries)
-            throws CancelledException, InterruptedException {
-      if (newPin == null) {
-        getPINs(spec, retries);
-      }
-      char[] pin = newPin;
-      newPin = null;
-      return pin;
-    }
-
-    @Override
-    public char[] provideOldPIN(PINSpec spec, int retries)
-            throws CancelledException, InterruptedException {
-      if (oldPin == null) {
-        getPINs(spec, retries);
-      }
-      char[] pin = oldPin;
-      oldPin = null;
-      return pin;
-    }
-
-    private void getPINs(PINSpec spec, int retries)
-            throws InterruptedException, CancelledException {
-
-      ((PINManagementGUIFacade) gui).showPINDialog(
-              PINManagementGUIFacade.DIALOG.CHANGE, spec,
-              (retry) ? retries : -1,
-              this, "exec",
-              this, "back");
-
-      waitForAction();
-
-      if ("exec".equals(action)) {
-        gui.showMessageDialog(BKUGUIFacade.TITLE_WAIT,
-                BKUGUIFacade.MESSAGE_WAIT);
-        retry = true;
-        oldPin = ((PINManagementGUIFacade) gui).getOldPin();
-        newPin = gui.getPin();
-      } else if ("back".equals(action)) {
-        throw new CancelledException();
-      } else {
-        log.error("unsupported command " + action);
-        throw new CancelledException();
-      }
-    }
-  }
-}
diff --git a/smccSTALExt/src/main/java/at/gv/egiz/bku/smccstal/PINManagementRequestHandler.java b/smccSTALExt/src/main/java/at/gv/egiz/bku/smccstal/PINManagementRequestHandler.java
index bfeb90b0..0d49afd0 100644
--- a/smccSTALExt/src/main/java/at/gv/egiz/bku/smccstal/PINManagementRequestHandler.java
+++ b/smccSTALExt/src/main/java/at/gv/egiz/bku/smccstal/PINManagementRequestHandler.java
@@ -23,9 +23,11 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import at.gv.egiz.bku.gui.BKUGUIFacade;
+import at.gv.egiz.bku.gui.PINManagementGUI;
 import at.gv.egiz.bku.gui.PINManagementGUIFacade;
 import at.gv.egiz.bku.gui.PINManagementGUIFacade.STATUS;
-import at.gv.egiz.bku.smccstal.AbstractRequestHandler;
+import at.gv.egiz.bku.pin.gui.ManagementPINGUI;
+import at.gv.egiz.bku.pin.gui.VerifyPINGUI;
 import at.gv.egiz.smcc.CancelledException;
 import at.gv.egiz.smcc.LockedException;
 import at.gv.egiz.smcc.NotActivatedException;
@@ -96,40 +98,15 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
             throw new NullPointerException("no PIN selected for activation/change");
           }
 
-          ManagementPINProviderFactory ppfac =
-                  new ManagementPINProviderFactory(card.getReader(), gui);
-
           try {
             if ("activate_enterpin".equals(actionCommand)) {
-              log.info("activate " + selectedPIN.getLocalizedName());
-              ((PINMgmtSignatureCard) card).activatePIN(selectedPIN,
-                      ppfac.getActivatePINProvider());
-              updatePINState(selectedPIN, STATUS.ACTIV);
-              gui.showMessageDialog(PINManagementGUIFacade.TITLE_ACTIVATE_SUCCESS,
-                      PINManagementGUIFacade.MESSAGE_ACTIVATE_SUCCESS,
-                      new Object[] {selectedPIN.getLocalizedName()},
-                      BKUGUIFacade.BUTTON_OK, this, "ok");
-              waitForAction();
+              activatePIN(selectedPIN);
             } else if ("change_enterpin".equals(actionCommand)) {
-              log.info("change " + selectedPIN.getLocalizedName());
-              ((PINMgmtSignatureCard) card).changePIN(selectedPIN, 
-                      ppfac.getChangePINProvider());
-              updatePINState(selectedPIN, STATUS.ACTIV);
-              gui.showMessageDialog(PINManagementGUIFacade.TITLE_CHANGE_SUCCESS,
-                      PINManagementGUIFacade.MESSAGE_CHANGE_SUCCESS,
-                      new Object[] {selectedPIN.getLocalizedName()},
-                      BKUGUIFacade.BUTTON_OK, this, "ok");
-              waitForAction();
-
+              changePIN(selectedPIN);
             } else if ("unblock_enterpuk".equals(actionCommand)) {
-              log.info("unblock " + selectedPIN.getLocalizedName());
-              ((PINMgmtSignatureCard) card).unblockPIN(selectedPIN,
-                      ppfac.getUnblockPINProvider());
+              unblockPIN(selectedPIN);
             } else if ("verify_enterpin".equals(actionCommand)) {
-              log.info("verify " + selectedPIN.getLocalizedName());
-              ((PINMgmtSignatureCard) card).verifyPIN(selectedPIN,
-                      ppfac.getVerifyPINProvider());
-              updatePINState(selectedPIN, STATUS.ACTIV);
+              verifyPIN(selectedPIN);
             }
           } catch (CancelledException ex) {
             log.trace("cancelled");
@@ -154,29 +131,17 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
                     new Object[] {selectedPIN.getLocalizedName()},
                     this, null);
             waitForAction();
-          } catch (PINConfirmationException ex) {
-            log.error("confirmation pin does not match new " + selectedPIN.getLocalizedName());
-            gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_CONFIRMATION,
-                    new Object[] {selectedPIN.getLocalizedName()},
-                    this, null);
-            waitForAction();
+
+            // inner loop for pinConfirmation and pinFormat ex
+//          } catch (PINConfirmationException ex) {
+//          } catch (PINFormatException ex) {
+
           } catch (PINOperationAbortedException ex) {
             log.error("pin operation aborted without further details");
             gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_OPERATION_ABORTED,
                     new Object[] {selectedPIN.getLocalizedName()},
                     this, null);
             waitForAction();
-          } catch (PINFormatException ex) {
-            log.error("wrong format of new " + selectedPIN.getLocalizedName());
-//            updatePINStatus(selectedPIN, STATUS.NOT_ACTIV);
-            String pinSize = String.valueOf(selectedPIN.getMinLength());
-            if (selectedPIN.getMinLength() != selectedPIN.getMaxLength()) {
-                pinSize += "-" + selectedPIN.getMaxLength();
-            }
-            gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_FORMAT,
-                    new Object[] {selectedPIN.getLocalizedName(), pinSize},
-                    this, null);
-            waitForAction();
           }
         } // end if
 
@@ -206,6 +171,157 @@ public class PINManagementRequestHandler extends AbstractRequestHandler {
     }
   }
 
+  private void activatePIN(PINSpec selectedPIN)
+          throws InterruptedException, SignatureCardException, GetPINStatusException {
+
+    log.info("activate " + selectedPIN.getLocalizedName());
+    ManagementPINGUI pinGUI = new ManagementPINGUI((PINManagementGUI) gui,
+            PINManagementGUIFacade.DIALOG.ACTIVATE);
+
+    boolean reentry;
+    do {
+      try {
+        reentry = false;
+        ((PINMgmtSignatureCard) card).activatePIN(selectedPIN, pinGUI);
+      } catch (PINConfirmationException ex) {
+        reentry = true;
+        log.error("confirmation pin does not match new " + selectedPIN.getLocalizedName());
+        gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_CONFIRMATION,
+                new Object[] {selectedPIN.getLocalizedName()},
+                this, null);
+        waitForAction();
+      } catch (PINFormatException ex) {
+        reentry = true;
+        log.error("wrong format of new " + selectedPIN.getLocalizedName());
+        String pinSize = String.valueOf(selectedPIN.getMinLength());
+        if (selectedPIN.getMinLength() != selectedPIN.getMaxLength()) {
+            pinSize += "-" + selectedPIN.getMaxLength();
+        }
+        gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_FORMAT,
+                new Object[] {selectedPIN.getLocalizedName(), pinSize},
+                this, null);
+        waitForAction();
+      }
+    } while (reentry);
+
+    updatePINState(selectedPIN, STATUS.ACTIV);
+    gui.showMessageDialog(PINManagementGUIFacade.TITLE_ACTIVATE_SUCCESS,
+            PINManagementGUIFacade.MESSAGE_ACTIVATE_SUCCESS,
+            new Object[]{selectedPIN.getLocalizedName()},
+            BKUGUIFacade.BUTTON_OK, this, "ok");
+    waitForAction();
+  }
+
+  private void verifyPIN(PINSpec selectedPIN)
+          throws InterruptedException, SignatureCardException, GetPINStatusException {
+
+    log.info("verify " + selectedPIN.getLocalizedName());
+    VerifyPINGUI pinGUI = new VerifyPINGUI(gui);
+
+    boolean reentry;
+    do {
+      try {
+        reentry = false;
+        ((PINMgmtSignatureCard) card).verifyPIN(selectedPIN, pinGUI);
+      } catch (PINFormatException ex) {
+        reentry = true;
+        log.error("wrong format of new " + selectedPIN.getLocalizedName());
+        String pinSize = String.valueOf(selectedPIN.getMinLength());
+        if (selectedPIN.getMinLength() != selectedPIN.getMaxLength()) {
+            pinSize += "-" + selectedPIN.getMaxLength();
+        }
+        gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_FORMAT,
+                new Object[] {selectedPIN.getLocalizedName(), pinSize},
+                this, null);
+        waitForAction();
+      }
+    } while (reentry);
+
+    updatePINState(selectedPIN, STATUS.ACTIV);
+  }
+
+  private void changePIN(PINSpec selectedPIN)
+          throws SignatureCardException, GetPINStatusException, InterruptedException {
+
+    log.info("change " + selectedPIN.getLocalizedName());
+    ManagementPINGUI pinGUI = new ManagementPINGUI((PINManagementGUI) gui,
+            PINManagementGUIFacade.DIALOG.CHANGE);
+
+    boolean reentry;
+    do {
+      try {
+        reentry = false;
+        ((PINMgmtSignatureCard) card).changePIN(selectedPIN, pinGUI);
+      } catch (PINConfirmationException ex) {
+        reentry = true;
+        log.error("confirmation pin does not match new " + selectedPIN.getLocalizedName());
+        gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_CONFIRMATION,
+                new Object[] {selectedPIN.getLocalizedName()},
+                this, null);
+        waitForAction();
+      } catch (PINFormatException ex) {
+        reentry = true;
+        log.error("wrong format of new " + selectedPIN.getLocalizedName());
+        String pinSize = String.valueOf(selectedPIN.getMinLength());
+        if (selectedPIN.getMinLength() != selectedPIN.getMaxLength()) {
+            pinSize += "-" + selectedPIN.getMaxLength();
+        }
+        gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_FORMAT,
+                new Object[] {selectedPIN.getLocalizedName(), pinSize},
+                this, null);
+        waitForAction();
+      }
+    } while (reentry);
+
+    updatePINState(selectedPIN, STATUS.ACTIV);
+    gui.showMessageDialog(PINManagementGUIFacade.TITLE_CHANGE_SUCCESS,
+            PINManagementGUIFacade.MESSAGE_CHANGE_SUCCESS,
+            new Object[]{selectedPIN.getLocalizedName()},
+            BKUGUIFacade.BUTTON_OK, this, "ok");
+    waitForAction();
+  }
+
+  private void unblockPIN(PINSpec selectedPIN)
+          throws SignatureCardException, GetPINStatusException, InterruptedException {
+
+    log.info("unblock " + selectedPIN.getLocalizedName());
+    ManagementPINGUI pinGUI = new ManagementPINGUI((PINManagementGUI) gui,
+            PINManagementGUIFacade.DIALOG.UNBLOCK);
+
+    boolean reentry;
+    do {
+      try {
+        reentry = false;
+        ((PINMgmtSignatureCard) card).unblockPIN(selectedPIN, pinGUI);
+      } catch (PINConfirmationException ex) {
+        reentry = true;
+        log.error("confirmation pin does not match new " + selectedPIN.getLocalizedName());
+        gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_CONFIRMATION,
+                new Object[] {selectedPIN.getLocalizedName()},
+                this, null);
+        waitForAction();
+      } catch (PINFormatException ex) {
+        reentry = true;
+        log.error("wrong format of new " + selectedPIN.getLocalizedName());
+        String pinSize = String.valueOf(selectedPIN.getMinLength());
+        if (selectedPIN.getMinLength() != selectedPIN.getMaxLength()) {
+            pinSize += "-" + selectedPIN.getMaxLength();
+        }
+        gui.showErrorDialog(PINManagementGUIFacade.ERR_PIN_FORMAT,
+                new Object[] {selectedPIN.getLocalizedName(), pinSize},
+                this, null);
+        waitForAction();
+      }
+    } while (reentry);
+
+    updatePINState(selectedPIN, STATUS.ACTIV);
+    gui.showMessageDialog(PINManagementGUIFacade.TITLE_UNBLOCK_SUCCESS,
+            PINManagementGUIFacade.MESSAGE_UNBLOCK_SUCCESS,
+            new Object[]{selectedPIN.getLocalizedName()},
+            BKUGUIFacade.BUTTON_OK, this, "ok");
+    waitForAction();
+  }
+
   @Override
   public boolean requireCard() {
     return true;
-- 
cgit v1.2.3