+ /* XXX: sc_prkey_op_init will search for a pkcs15 private
+ * key object with the sign or signrecover usage flag set.
+ * If the signing key has only the non-repudiation flag set
+ * the key will be rejected as using a non-repudiation key
+ * for authentication is not recommended. Note: This does not
+ * prevent the use of a non-repudiation key for authentication
+ * if the sign or signrecover flag is set as well.
+ */
+ r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN);