When creating symmetric keys, use CKK_ definitions (key type) rather than CKM_ definitions (mechanism) to specify the key type.

src/pkcs15init/pkcs15-lib.c

@@ -1330,13 +1330,16 @@ sc_pkcs15init_init_skdf(struct sc_pkcs15_card *p15card, struct sc_profile *profi
 	key_info->key_reference = 0;
 	switch (keyargs->algorithm) {
 	case SC_ALGORITHM_DES:
-		key_info->key_type = CKM_DES_ECB;
+		key_info->key_type = CKK_DES;
 		break;
 	case SC_ALGORITHM_3DES:
-		key_info->key_type = CKM_DES3_ECB;
+		key_info->key_type = CKK_DES3;
 		break;
 	case SC_ALGORITHM_AES:
-		key_info->key_type = CKM_AES_ECB;
+		key_info->key_type = CKK_AES;
+		break;
+	default:
+		key_info->key_type = CKK_GENERIC_SECRET;
 		break;
 	}
 	key_info->value_len = keybits;
@@ -1931,11 +1934,17 @@ sc_pkcs15init_store_secret_key(struct sc_pkcs15_card *p15card, struct sc_profile
 
 	sc_pkcs15_free_object_content(object);
 
-	/* Now update the SKDF */
-	r = sc_pkcs15init_add_object(p15card, profile, SC_PKCS15_SKDF, object);
-	LOG_TEST_RET(ctx, r, "Failed to add new secret key PKCS#15 object");
+	/* Now update the SKDF, unless it is a session object.
+	   If we have an on card session object, we have created the actual key object on card.
+	   The card handles removing it when the session is finished or during the next reset.
+	   We will maintain the object in the P15 structure in memory for duration of the session,
+	   but we don't want it to be written into SKDF. */
+	if (!object->session_object) {
+		r = sc_pkcs15init_add_object(p15card, profile, SC_PKCS15_SKDF, object);
+		LOG_TEST_RET(ctx, r, "Failed to add new secret key PKCS#15 object");
+	}
 
-	if (!r && profile->ops->emu_store_data)   {
+	if (!r && profile->ops->emu_store_data && !object->session_object)   {
 		r = profile->ops->emu_store_data(p15card, profile, object, NULL, NULL);
 		if (r == SC_ERROR_NOT_IMPLEMENTED)
 			r = SC_SUCCESS;
@@ -2584,6 +2593,7 @@ key_pkcs15_algo(struct sc_pkcs15_card *p15card, unsigned int algorithm)
 	case SC_ALGORITHM_3DES:
 		return SC_PKCS15_TYPE_SKEY_3DES;
 	case SC_ALGORITHM_AES:
+	case SC_ALGORITHM_UNDEFINED:
 		return SC_PKCS15_TYPE_SKEY_GENERIC;
 	}
 	sc_log(ctx, "Unsupported key algorithm.");

src/pkcs15init/pkcs15-myeid.c

@@ -481,11 +481,11 @@ myeid_fixup_supported_algos(struct sc_profile *profile, struct sc_pkcs15_card *p
 	switch (object->type) {
 	case SC_PKCS15_TYPE_SKEY_GENERIC:
 		switch (skey_info->key_type | (skey_info->value_len << 16)) {
-		case CKM_AES_ECB | (128 << 16):
+		case CKK_AES | (128 << 16):
 			_add_supported_algo(profile, p15card, object, SC_PKCS15_ALGO_OP_DECIPHER|SC_PKCS15_ALGO_OP_ENCIPHER, CKM_AES_ECB, &id_aes128_ecb);
 			_add_supported_algo(profile, p15card, object, SC_PKCS15_ALGO_OP_DECIPHER|SC_PKCS15_ALGO_OP_ENCIPHER, CKM_AES_CBC, &id_aes128_cbc);
 			break;
-		case CKM_AES_ECB | (256 << 16):
+		case CKK_AES | (256 << 16):
 			_add_supported_algo(profile, p15card, object, SC_PKCS15_ALGO_OP_DECIPHER|SC_PKCS15_ALGO_OP_ENCIPHER, CKM_AES_ECB, &id_aes256_ecb);
 			_add_supported_algo(profile, p15card, object, SC_PKCS15_ALGO_OP_DECIPHER|SC_PKCS15_ALGO_OP_ENCIPHER, CKM_AES_CBC, &id_aes256_cbc);
 			break;
@@ -539,10 +539,10 @@ myeid_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
 			if ((skey_info->access_flags & SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE) == SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE)
 				extractable = TRUE;
 			switch (skey_info->key_type) {
-			case CKM_AES_ECB:
+			case CKK_AES:
 				ef_structure = SC_CARDCTL_MYEID_KEY_AES;
 				break;
-			case CKM_DES_ECB:
+			case CKK_DES:
 				ef_structure = SC_CARDCTL_MYEID_KEY_DES;
 				break;
 			default: