From 7f02ceeefb8d9db0e62b32635afd319706b470f1 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Thu, 18 May 2017 19:02:00 -0400
Subject: Translate more PKCS #11 attributes into HAL_KEY_FLAG_* settings.

---
 pkcs11.c | 41 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/pkcs11.c b/pkcs11.c
index fbc0845..a17eec9 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -1794,6 +1794,7 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
 
   const CK_BBOOL * public_cka_private = NULL, * public_cka_token = NULL;
   const CK_BBOOL *private_cka_private = NULL, *private_cka_token = NULL;
+  const CK_BBOOL *private_cka_extractable = NULL;
 
   /*
    * Check values provided in the public and private templates.
@@ -1827,10 +1828,13 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
       goto fail;
 
     if (type == CKA_TOKEN)
-      public_cka_token = val;
+      private_cka_token = val;
 
     if (type == CKA_PRIVATE)
-      public_cka_private = val;
+      private_cka_private = val;
+
+    if (type == CKA_EXTRACTABLE)
+      private_cka_extractable = val;
 
     p11_attribute_apply_keyusage(private_flags, type, val);
   }
@@ -1843,6 +1847,25 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
   if (*public_flags != *private_flags || *public_flags == 0)
     lose(CKR_TEMPLATE_INCONSISTENT);
 
+  /*
+   * Pass PKCS #11's weird notion of "public" objects through to HSM.
+   */
+
+  if (public_cka_private != NULL && ! *public_cka_private)
+    *public_flags |= HAL_KEY_FLAG_PUBLIC;
+
+  if (private_cka_private != NULL && ! *private_cka_private)
+    *private_flags |= HAL_KEY_FLAG_PUBLIC;
+
+  /*
+   * Pass extractability through to HSM.  Public keys are always extractable.
+   */
+
+  *public_flags |= HAL_KEY_FLAG_EXPORTABLE;
+
+  if (private_cka_extractable != NULL && *private_cka_extractable)
+    *private_flags |= HAL_KEY_FLAG_EXPORTABLE;
+
   /*
    * Check that all required attributes have been specified.
    */
@@ -3038,9 +3061,11 @@ CK_RV C_CreateObject(CK_SESSION_HANDLE hSession,
   if (pTemplate == NULL || phObject == NULL)
     lose(CKR_ARGUMENTS_BAD);
 
-  const CK_OBJECT_CLASS * const cka_class = p11_attribute_find_value_in_template(CKA_CLASS,    pTemplate, ulCount);
-  const CK_KEY_TYPE * const cka_key_type  = p11_attribute_find_value_in_template(CKA_KEY_TYPE, pTemplate, ulCount);
-  const CK_BBOOL * const cka_token        = p11_attribute_find_value_in_template(CKA_TOKEN,    pTemplate, ulCount);
+  const CK_OBJECT_CLASS * const cka_class       = p11_attribute_find_value_in_template(CKA_CLASS,       pTemplate, ulCount);
+  const CK_KEY_TYPE     * const cka_key_type    = p11_attribute_find_value_in_template(CKA_KEY_TYPE,    pTemplate, ulCount);
+  const CK_BBOOL        * const cka_token       = p11_attribute_find_value_in_template(CKA_TOKEN,       pTemplate, ulCount);
+  const CK_BBOOL        * const cka_private     = p11_attribute_find_value_in_template(CKA_PRIVATE,     pTemplate, ulCount);
+  const CK_BBOOL        * const cka_extractable = p11_attribute_find_value_in_template(CKA_EXTRACTABLE, pTemplate, ulCount);
 
   if (cka_class == NULL)
     lose(CKR_TEMPLATE_INCOMPLETE);
@@ -3080,6 +3105,12 @@ CK_RV C_CreateObject(CK_SESSION_HANDLE hSession,
   for (int i = 0; i < ulCount; i++)
     p11_attribute_apply_keyusage(&flags, pTemplate[i].type, pTemplate[i].pValue);
 
+  if (cka_private != NULL && ! *cka_private)
+    flags |= HAL_KEY_FLAG_PUBLIC;
+
+  if (*cka_class == CKO_PUBLIC_KEY || (cka_extractable != NULL && *cka_extractable))
+    flags |= HAL_KEY_FLAG_EXPORTABLE;
+
   int (*handler)(const p11_session_t *session,
                  const handle_flavor_t flavor,
                  const CK_ATTRIBUTE_PTR pTemplate,
-- 
cgit v1.2.3