diff --git a/ChangeLog b/ChangeLog
index 1303acc45..b7fe1fc40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20030825
+ - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from 
+   larsch@trustcenter.de
+
 20030822
  - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal 
    -lbroken; ok dtucker 
@@ -851,4 +855,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2898 2003/08/22 08:43:48 dtucker Exp $
+$Id: ChangeLog,v 1.2899 2003/08/25 00:58:26 djm Exp $
diff --git a/scard-opensc.c b/scard-opensc.c
index 4ab87ea8a..2489fec45 100644
--- a/scard-opensc.c
+++ b/scard-opensc.c
@@ -110,7 +110,8 @@ err:
 /* private key operations */
 
 static int
-sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out)
+sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out,
+	unsigned int usage)
 {
 	int r;
 	struct sc_priv_data *priv;
@@ -130,7 +131,8 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out)
 			goto err;
 		}
 	}
-	r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj);
+	r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, 
+		usage, &key_obj);
 	if (r) {
 		error("Unable to find private key from SmartCard: %s",
 		      sc_strerror(r));
@@ -176,6 +178,9 @@ err:
 	return -1;
 }
 
+#define SC_USAGE_DECRYPT	SC_PKCS15_PRKEY_USAGE_DECRYPT | \
+				SC_PKCS15_PRKEY_USAGE_UNWRAP
+
 static int
 sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
     int padding)
@@ -185,7 +190,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
 
 	if (padding != RSA_PKCS1_PADDING)
 		return -1;	
-	r = sc_prkey_op_init(rsa, &key_obj);
+	r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT);
 	if (r)
 		return -1;
 	r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, 
@@ -201,6 +206,9 @@ err:
 	return -1;
 }
 
+#define SC_USAGE_SIGN 		SC_PKCS15_PRKEY_USAGE_SIGN | \
+				SC_PKCS15_PRKEY_USAGE_SIGNRECOVER
+
 static int
 sc_sign(int type, u_char *m, unsigned int m_len,
 	unsigned char *sigret, unsigned int *siglen, RSA *rsa)
@@ -209,7 +217,15 @@ sc_sign(int type, u_char *m, unsigned int m_len,
 	int r;
 	unsigned long flags = 0;
 
-	r = sc_prkey_op_init(rsa, &key_obj);
+	/* XXX: sc_prkey_op_init will search for a pkcs15 private
+	 * key object with the sign or signrecover usage flag set.
+	 * If the signing key has only the non-repudiation flag set
+	 * the key will be rejected as using a non-repudiation key
+	 * for authentication is not recommended. Note: This does not
+	 * prevent the use of a non-repudiation key for authentication
+	 * if the sign or signrecover flag is set as well. 
+	 */
+	r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN);
 	if (r)
 		return -1;
 	/* FIXME: length of sigret correct? */