diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c
index 9c8f47da1..33d5c489b 100644
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -35,8 +35,7 @@
 RCSID("$Id$");
 #include <dlfcn.h>
 
-#include <openssl/ui.h>
-#include <openssl/rsa.h>
+#include "crypto_headers.h"
 
 #include "pkcs11u.h"
 #include "pkcs11.h"
@@ -77,6 +76,7 @@ struct p11_rsa {
     struct p11_module *p;
     struct p11_slot *slot;
     CK_OBJECT_HANDLE private_key;
+    CK_OBJECT_HANDLE public_key;
 };
 
 static int
@@ -86,7 +86,7 @@ p11_rsa_public_encrypt(int flen,
 		       RSA *rsa,
 		       int padding)
 {
-    return 0;
+    return -1;
 }
 
 static int
@@ -96,7 +96,40 @@ p11_rsa_public_decrypt(int flen,
 		       RSA *rsa,
 		       int padding)
 {
-    return 0;
+    struct p11_rsa *p11rsa = RSA_get_app_data(rsa);
+    CK_OBJECT_HANDLE key = p11rsa->public_key;
+    CK_MECHANISM mechanism;
+    CK_ULONG ck_sigsize;
+    int ret;
+
+    if (key == 0) /* XXX */
+	return -1;
+
+    if (padding != RSA_PKCS1_PADDING)
+	return -1;
+
+    memset(&mechanism, 0, sizeof(mechanism));
+    mechanism.mechanism = CKM_RSA_PKCS;
+
+    ck_sigsize = RSA_size(rsa);
+
+    p11_get_session(p11rsa->p, p11rsa->slot);
+
+    ret = P11FUNC(p11rsa->p, VerifyInit,
+		  (P11SESSION(p11rsa->slot), &mechanism, key));
+    if (ret != CKR_OK) {
+	p11_put_session(p11rsa->p, p11rsa->slot);
+	return -1;
+    }
+
+    ret = P11FUNC(p11rsa->p, Verify,
+		  (P11SESSION(p11rsa->slot), (CK_BYTE *)from, flen, to, ck_sigsize));
+    if (ret != CKR_OK)
+	return -1;
+
+    p11_put_session(p11rsa->p, p11rsa->slot);
+
+    return ck_sigsize;
 }
 
 
@@ -308,7 +341,6 @@ p11_put_session(struct p11_module *p, struct p11_slot *slot)
     return 0;
 }
 
-
 static int
 iterate_entries(struct p11_module *p, struct p11_slot *slot,
 		CK_ATTRIBUTE *search_data, int num_search_data,