sensitive flag added to generate key with CKA_SENSITIVE flag

2017-09-12 16:08:22 +03:00 · 2017-09-12 16:08:22 +03:00 · 2cf0a119f4
parent 00535f0174
commit 2cf0a119f4
1 changed files with 19 additions and 2 deletions
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@ -134,6 +134,7 @@ enum {
 	OPT_KEY_USAGE_DECRYPT,
 	OPT_KEY_USAGE_DERIVE,
 	OPT_PRIVATE,
+	OPT_SENSITIVE,
 	OPT_TEST_HOTPLUG,
 	OPT_UNLOCK_PIN,
 	OPT_PUK,
@ -204,6 +205,7 @@ static const struct option options[] = {
 	{ "moz-cert",		1, NULL,		'z' },
 	{ "verbose",		0, NULL,		'v' },
 	{ "private",		0, NULL,		OPT_PRIVATE },
+	{ "sensitive",		0, NULL,		OPT_SENSITIVE },
 	{ "test-ec",		0, NULL,		OPT_TEST_EC },
 #ifndef _WIN32
 	{ "test-fork",		0, NULL,		OPT_TEST_FORK },
@ -269,6 +271,7 @@ static const char *option_help[] = {
 	"Test Mozilla-like keypair gen and cert req, <arg>=certfile",
 	"Verbose operation. (Set OPENSC_DEBUG to enable OpenSC specific debugging)",
 	"Set the CKA_PRIVATE attribute (object is only viewable after a login)",
+	"Set the CKA_SENSITIVE attribute (object is protected by HSM)",
 	"Test EC (best used with the --login or --pin option)",
 #ifndef _WIN32
 	"Test forking and calling C_Initialize() in the child",
@ -308,6 +311,7 @@ static char *		opt_subject = NULL;
 static char *		opt_key_type = NULL;
 static char *		opt_sig_format = NULL;
 static int		opt_is_private = 0;
+static int		opt_is_sensitive = 0;
 static int		opt_test_hotplug = 0;
 static int		opt_login_type = -1;
 static int		opt_key_usage_sign = 0;
@ -808,6 +812,9 @@ int main(int argc, char * argv[])
 		case OPT_PRIVATE:
 			opt_is_private = 1;
 			break;
+		case OPT_SENSITIVE:
+			opt_is_sensitive = 1;
+			break;
 		case OPT_TEST_HOTPLUG:
 			opt_test_hotplug = 1;
 			action_count++;
@ -1329,7 +1336,7 @@ static int login(CK_SESSION_HANDLE session, int login_type)
 			pin_flags=info.flags & (
 				CKF_SO_PIN_COUNT_LOW |
 				CKF_SO_PIN_FINAL_TRY |
-				CKF_SO_PIN_LOCKED | 
+				CKF_SO_PIN_LOCKED |
 				CKF_SO_PIN_TO_BE_CHANGED);
 			if(pin_flags)
 				printf("WARNING: %s\n",p11_token_info_flags(pin_flags));
@ -1340,7 +1347,7 @@ static int login(CK_SESSION_HANDLE session, int login_type)
 			pin_flags=info.flags & (
 				CKF_USER_PIN_COUNT_LOW |
 				CKF_USER_PIN_FINAL_TRY |
-				CKF_USER_PIN_LOCKED | 
+				CKF_USER_PIN_LOCKED |
 				CKF_USER_PIN_TO_BE_CHANGED);
 			if(pin_flags)
 				printf("WARNING: %s\n",p11_token_info_flags(pin_flags));
@ -2039,6 +2046,7 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
 	CK_MECHANISM mechanism = {CKM_AES_KEY_GEN, NULL_PTR, 0};
 	CK_OBJECT_CLASS secret_key_class = CKO_SECRET_KEY;
 	CK_BBOOL _true = TRUE;
+	CK_BBOOL _false = FALSE;
 	CK_KEY_TYPE key_type = CKK_AES;
 	CK_ULONG    key_length;
 	CK_ATTRIBUTE keyTemplate[20] = {
@ -2113,6 +2121,15 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
 			util_fatal("Unknown key type %s", type);
 		}

+        if (opt_is_sensitive != 0) {
+            FILL_ATTR(keyTemplate[n_attr], CKA_SENSITIVE, &_true, sizeof(_true));
+            n_attr++;
+        }
+        else {
+            FILL_ATTR(keyTemplate[n_attr], CKA_SENSITIVE, &_false, sizeof(_false));
+            n_attr++;
+        }
+
 		FILL_ATTR(keyTemplate[n_attr], CKA_ENCRYPT, &_true, sizeof(_true));
 		n_attr++;
 		FILL_ATTR(keyTemplate[n_attr], CKA_DECRYPT, &_true, sizeof(_true));