From 2f94a6b155ea4d657546a824446794611cf58d94 Mon Sep 17 00:00:00 2001
From: Alessio Di Mauro <alessio@yubico.com>
Date: Wed, 23 Jun 2021 15:29:29 +0200
Subject: [PATCH] pkcs11-tool: allow setting CKA_EXTRACTABLE during keypair
 generation

Section 4.9 of the PKCS#11 v2.40 specification [1], mentions
CKA_EXTRACTABLE as a valid attribute for Private Key objects. However,
when calling "pkcs11-tool" with the "--exportable" option, the
attribute is not set as part of the private key template.

[1]: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/pkcs11-base-v2.40-errata01-os-complete.html
---
 src/tools/pkcs11-tool.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 498018c8..ffd3666c 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -2745,6 +2745,12 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
 		n_privkey_attr++;
 	}
 
+	if (opt_is_extractable != 0) {
+		FILL_ATTR(privateKeyTemplate[n_privkey_attr], CKA_EXTRACTABLE,
+				&_true, sizeof(_true));
+		n_privkey_attr++;
+	}
+
 	if (opt_allowed_mechanisms_len > 0) {
 		FILL_ATTR(privateKeyTemplate[n_privkey_attr],
 			CKA_ALLOWED_MECHANISMS, opt_allowed_mechanisms,