diff --git a/Cargo.lock b/Cargo.lock
index 212d582c..166299f4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -248,21 +248,23 @@ dependencies = [
 
 [[package]]
 name = "cryptoki"
-version = "0.3.1"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "570006e51d08ec89ce5bbfdcf428ad96111636d524bf2447bee6377fd0e1d889"
+checksum = "95d9fb68c88020896fa3741a10e41f206b2ace927724170a753a3f2ba5f77c2b"
 dependencies = [
+ "bitflags",
  "cryptoki-sys",
- "derivative",
  "libloading",
  "log",
+ "paste",
+ "secrecy 0.8.0",
 ]
 
 [[package]]
 name = "cryptoki-sys"
-version = "0.1.5"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d12231889cbf7e11d2965a063d9518bc7aac60c5b125dc61c8ff2111a160eae"
+checksum = "4bc9943e09928a84ed6e76dbaea1699b7678e95b2487b0de31075af300221095"
 dependencies = [
  "libloading",
  "target-lexicon",
@@ -1013,7 +1015,7 @@ dependencies = [
  "num-traits",
  "prost",
  "psa-crypto",
- "secrecy",
+ "secrecy 0.7.0",
  "serde",
  "uuid",
  "zeroize",
@@ -1056,6 +1058,12 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "paste"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c"
+
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -1497,6 +1505,15 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "secrecy"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e"
+dependencies = [
+ "zeroize",
+]
+
 [[package]]
 name = "semver"
 version = "0.11.0"
diff --git a/Cargo.toml b/Cargo.toml
index 69cee4e4..84eb89b9 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -26,7 +26,7 @@ toml = "0.5.8"
 serde = { version = "1.0.123", features = ["derive"] }
 env_logger = "0.8.3"
 log = { version = "0.4.14", features = ["serde"] }
-cryptoki = { version = "0.3.1", optional = true, default-features = false }
+cryptoki = { version = "0.5.0", optional = true, default-features = false }
 picky-asn1-der = { version = "0.4.0", optional = true }
 picky-asn1 = { version = "0.7.2", optional = true }
 tss-esapi = { version = "7.2.0", optional = true }
diff --git a/e2e_tests/Cargo.toml b/e2e_tests/Cargo.toml
index f470129e..2ddb9a3b 100644
--- a/e2e_tests/Cargo.toml
+++ b/e2e_tests/Cargo.toml
@@ -30,7 +30,7 @@ picky-asn1 = "0.3.1"
 sha2 = "0.9.3"
 serial_test = "0.5.1"
 regex = "1.6.0"
-cryptoki = { version = "0.3.1", default-features = false }
+cryptoki = { version = "0.5.0", default-features = false }
 snailquote = "0.3.1"
 
 [features]
diff --git a/e2e_tests/tests/all_providers/config/mod.rs b/e2e_tests/tests/all_providers/config/mod.rs
index f028e635..528cd898 100644
--- a/e2e_tests/tests/all_providers/config/mod.rs
+++ b/e2e_tests/tests/all_providers/config/mod.rs
@@ -1,5 +1,6 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
+use cryptoki::types::AuthPin;
 use e2e_tests::auto_test_keyname;
 use e2e_tests::TestClient;
 use log::{error, info};
@@ -456,7 +457,6 @@ fn activate_cred_no_auth() {
 #[cfg(feature = "pkcs11-provider")]
 fn init_pkcs11_token(lib: &str, so_pin: &str, pin: &str) -> String {
     use cryptoki::context::{CInitializeArgs, Pkcs11};
-    use cryptoki::session::SessionFlags;
     use cryptoki::session::UserType;
     use std::path::Path;
 
@@ -464,19 +464,22 @@ fn init_pkcs11_token(lib: &str, so_pin: &str, pin: &str) -> String {
     // // initialize the library
     pkcs11.initialize(CInitializeArgs::OsThreads).unwrap();
     let slot = pkcs11.get_slots_with_token().unwrap().pop().unwrap();
-    pkcs11.init_token(slot, so_pin, "Test Token").unwrap();
-    // set flags
-    let mut flags = SessionFlags::new();
-    let _ = flags.set_rw_session(true).set_serial_session(true);
+    pkcs11
+        .init_token(slot, &AuthPin::new(so_pin.to_string()), "Test Token")
+        .unwrap();
     // open a session
-    let session = pkcs11.open_session_no_callback(slot, flags).unwrap();
+    let session = pkcs11.open_rw_session(slot).unwrap();
     // log in the session
-    session.login(UserType::So, Some(so_pin)).unwrap();
-    session.init_pin(pin).unwrap();
+    session
+        .login(UserType::So, Some(&AuthPin::new(so_pin.to_string())))
+        .unwrap();
+    session.init_pin(&AuthPin::new(pin.to_string())).unwrap();
     // get the token serial number
     let token = pkcs11.get_token_info(slot).unwrap();
     pkcs11.finalize();
-    std::str::from_utf8(&token.serialNumber).unwrap().to_owned()
+    std::str::from_utf8(token.serial_number().as_bytes())
+        .unwrap()
+        .to_owned()
 }
 
 #[cfg(feature = "pkcs11-provider")]
diff --git a/fuzz/Cargo.lock b/fuzz/Cargo.lock
index 3046f10c..1142f7f7 100644
--- a/fuzz/Cargo.lock
+++ b/fuzz/Cargo.lock
@@ -278,22 +278,23 @@ checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc"
 
 [[package]]
 name = "cryptoki"
-version = "0.3.1"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "570006e51d08ec89ce5bbfdcf428ad96111636d524bf2447bee6377fd0e1d889"
+checksum = "95d9fb68c88020896fa3741a10e41f206b2ace927724170a753a3f2ba5f77c2b"
 dependencies = [
+ "bitflags",
  "cryptoki-sys",
- "derivative",
  "libloading",
  "log",
- "psa-crypto",
+ "paste",
+ "secrecy 0.8.0",
 ]
 
 [[package]]
 name = "cryptoki-sys"
-version = "0.1.5"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d12231889cbf7e11d2965a063d9518bc7aac60c5b125dc61c8ff2111a160eae"
+checksum = "4bc9943e09928a84ed6e76dbaea1699b7678e95b2487b0de31075af300221095"
 dependencies = [
  "libloading",
  "target-lexicon",
@@ -1053,7 +1054,7 @@ dependencies = [
  "num-traits",
  "prost",
  "psa-crypto",
- "secrecy",
+ "secrecy 0.7.0",
  "serde",
  "uuid",
  "zeroize",
@@ -1091,6 +1092,12 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "paste"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c"
+
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -1467,6 +1474,15 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "secrecy"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e"
+dependencies = [
+ "zeroize",
+]
+
 [[package]]
 name = "semver"
 version = "0.11.0"
diff --git a/src/providers/pkcs11/capability_discovery.rs b/src/providers/pkcs11/capability_discovery.rs
index 7b14df41..d98d7b5f 100644
--- a/src/providers/pkcs11/capability_discovery.rs
+++ b/src/providers/pkcs11/capability_discovery.rs
@@ -77,8 +77,8 @@ impl CanDoCrypto for Provider {
             .get_mechanism_info(self.slot_number, mechanism.mechanism_type())
             .map_err(to_response_status)?;
         if std::any::type_name::<Ulong>() == std::any::type_name::<u64>() {
-            if !((attributes.bits as u64) >= (*mechanism_info.min_key_size()).into()
-                && (attributes.bits as u64) <= (*mechanism_info.max_key_size()).into())
+            if !((attributes.bits as u64) >= (mechanism_info.min_key_size() as u64)
+                && (attributes.bits as u64) <= (mechanism_info.max_key_size()) as u64)
             {
                 info!(
                     "Incorrect key size {} for mechanism {:?}",
@@ -87,8 +87,8 @@ impl CanDoCrypto for Provider {
                 return Err(PsaErrorNotSupported);
             }
         } else {
-            if !((attributes.bits as u64) >= (*mechanism_info.min_key_size() as u64)
-                && (attributes.bits as u64) <= (*mechanism_info.max_key_size() as u64))
+            if !((attributes.bits as u64) >= (mechanism_info.min_key_size() as u64)
+                && (attributes.bits as u64) <= (mechanism_info.max_key_size() as u64))
             {
                 info!(
                     "Incorrect key size {} for mechanism {:?}",
diff --git a/src/providers/pkcs11/mod.rs b/src/providers/pkcs11/mod.rs
index 6cd2b563..7153c1a7 100644
--- a/src/providers/pkcs11/mod.rs
+++ b/src/providers/pkcs11/mod.rs
@@ -11,8 +11,9 @@ use crate::providers::crypto_capability::CanDoCrypto;
 use crate::providers::ProviderIdentity;
 use cryptoki::context::{CInitializeArgs, Pkcs11};
 use cryptoki::error::{Error as Pkcs11Error, RvError};
-use cryptoki::session::{Session, SessionFlags, UserType};
+use cryptoki::session::{Session, UserType};
 use cryptoki::slot::Slot;
+use cryptoki::types::AuthPin;
 use derivative::Derivative;
 use log::{error, info, trace, warn};
 use parsec_interface::operations::{
@@ -211,12 +212,9 @@ impl Provider {
     // * logged in if the pin is set
     // * set on the slot in the provider
     fn new_session(&self) -> Result<Session> {
-        let mut flags = SessionFlags::new();
-        let _ = flags.set_rw_session(true).set_serial_session(true);
-
         let session = self
             .backend
-            .open_session_no_callback(self.slot_number, flags)
+            .open_rw_session(self.slot_number)
             .map_err(to_response_status)?;
 
         if self.user_pin.is_some() {
@@ -231,7 +229,7 @@ impl Provider {
             }
 
             session
-                .login(UserType::User, Some(&pin))
+                .login(UserType::User, Some(&AuthPin::new(pin.to_string())))
                 .or_else(|e| {
                     if let Pkcs11Error::Pkcs11(RvError::UserAlreadyLoggedIn) = e {
                         Ok(())
@@ -529,11 +527,11 @@ impl ProviderBuilder {
                         format_error!("Failed parsing token info", e);
                         Error::new(ErrorKind::InvalidData, "Failed parsing token info")
                     })?;
-                    let sn =
-                        String::from_utf8(current_token.serialNumber.to_vec()).map_err(|e| {
-                            format_error!("Failed parsing token serial number", e);
-                            Error::new(ErrorKind::InvalidData, "Failed parsing token serial number")
-                        })?;
+                    let sn = String::from_utf8(current_token.serial_number().as_bytes().to_vec())
+                        .map_err(|e| {
+                        format_error!("Failed parsing token serial number", e);
+                        Error::new(ErrorKind::InvalidData, "Failed parsing token serial number")
+                    })?;
                     if sn.trim() == serial_number.trim() {
                         slot = Some(current_slot);
                         break;
diff --git a/src/providers/pkcs11/utils.rs b/src/providers/pkcs11/utils.rs
index 43c68102..dcb369ea 100644
--- a/src/providers/pkcs11/utils.rs
+++ b/src/providers/pkcs11/utils.rs
@@ -166,7 +166,7 @@ pub fn pkcsmgftype_from_psa_crypto_hash(alg: Hash) -> Result<rsa::PkcsMgfType, E
 #[allow(deprecated)]
 pub fn algorithm_to_mechanism(
     alg: psa_crypto::types::algorithm::Algorithm,
-) -> Result<Mechanism, Error> {
+) -> Result<Mechanism<'static>, Error> {
     use psa_crypto::types::algorithm::{Algorithm, AsymmetricEncryption};
 
     match alg {
@@ -187,13 +187,11 @@ pub fn algorithm_to_mechanism(
         })),
         Algorithm::AsymmetricSignature(AsymmetricSignature::Ecdsa { .. }) => Ok(Mechanism::Ecdsa),
         Algorithm::AsymmetricEncryption(AsymmetricEncryption::RsaOaep { hash_alg }) => {
-            Ok(Mechanism::RsaPkcsOaep(rsa::PkcsOaepParams {
-                hash_alg: algorithm_to_mechanism(Algorithm::from(hash_alg))?.mechanism_type(),
-                mgf: pkcsmgftype_from_psa_crypto_hash(hash_alg)?,
-                source: rsa::PkcsOaepSourceType::DATA_SPECIFIED,
-                source_data: std::ptr::null(),
-                source_data_len: 0.into(),
-            }))
+            Ok(Mechanism::RsaPkcsOaep(rsa::PkcsOaepParams::new(
+                algorithm_to_mechanism(Algorithm::from(hash_alg))?.mechanism_type(),
+                pkcsmgftype_from_psa_crypto_hash(hash_alg)?,
+                rsa::PkcsOaepSource::empty(),
+            )))
         }
         alg => {
             error!("{:?} is not a supported algorithm", alg);