pkcs11-tool: Add extractable option to key import

Signed-off-by: Raul Metsma <raul@metsma.ee>
2019-05-09 14:55:25 +03:00 · 2019-05-09 14:55:25 +03:00 · 3a192e2c87
parent a2dd500624
commit 3a192e2c87
2 changed files with 28 additions and 2 deletions
--- a/doc/tools/pkcs11-tool.1.xml
+++ b/doc/tools/pkcs11-tool.1.xml
@ -319,6 +319,13 @@
 					<listitem><para>Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).</para></listitem>
 				</varlistentry>

+				<varlistentry>
+					<term>
+						<option>--extractable</option>
+					</term>
+					<listitem><para>Set the CKA_EXTRACTABLE attribute (object can be extracted)</para></listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--set-id</option> <replaceable>id</replaceable>,
@ -460,7 +467,7 @@
 					</listitem>
 				</varlistentry>

-                                <varlistentry>
+				<varlistentry>
 					<term>
 						<option>--allowed-mechanisms</option> <replaceable>mechanisms</replaceable>
 					</term>
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@ -141,6 +141,7 @@ enum {
 	OPT_KEY_USAGE_DERIVE,
 	OPT_PRIVATE,
 	OPT_SENSITIVE,
+	OPT_EXTRACTABLE,
 	OPT_TEST_HOTPLUG,
 	OPT_UNLOCK_PIN,
 	OPT_PUK,
@ -227,6 +228,7 @@ static const struct option options[] = {
 	{ "verbose",		0, NULL,		'v' },
 	{ "private",		0, NULL,		OPT_PRIVATE },
 	{ "sensitive",		0, NULL,		OPT_SENSITIVE },
+	{ "extractable",	0, NULL,		OPT_EXTRACTABLE },
 	{ "always-auth",	0, NULL,		OPT_ALWAYS_AUTH },
 	{ "test-ec",		0, NULL,		OPT_TEST_EC },
 #ifndef _WIN32
@ -301,6 +303,7 @@ static const char *option_help[] = {
 	"Verbose operation. (Set OPENSC_DEBUG to enable OpenSC specific debugging)",
 	"Set the CKA_PRIVATE attribute (object is only viewable after a login)",
 	"Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext)",
+	"Set the CKA_EXTRACTABLE attribute (object can be extracted)",
 	"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
 	"Test EC (best used with the --login or --pin option)",
 #ifndef _WIN32
@ -348,6 +351,7 @@ static CK_MECHANISM_TYPE opt_allowed_mechanisms[MAX_ALLOWED_MECHANISMS];
 static size_t		opt_allowed_mechanisms_len = 0;
 static int		opt_is_private = 0;
 static int		opt_is_sensitive = 0;
+static int		opt_is_extractable = 0;
 static int		opt_test_hotplug = 0;
 static int		opt_login_type = -1;
 static int		opt_key_usage_sign = 0;
@ -883,6 +887,9 @@ int main(int argc, char * argv[])
 		case OPT_SENSITIVE:
 			opt_is_sensitive = 1;
 			break;
+		case OPT_EXTRACTABLE:
+			opt_is_extractable = 1;
+			break;
 		case OPT_TEST_HOTPLUG:
 			opt_test_hotplug = 1;
 			action_count++;
@ -3136,6 +3143,10 @@ static int write_object(CK_SESSION_HANDLE session)
 				&_true, sizeof(_true));
 			n_privkey_attr++;
 		}
+		if (opt_is_extractable != 0) {
+			FILL_ATTR(privkey_templ[n_privkey_attr], CKA_EXTRACTABLE, &_true, sizeof(_true));
+			n_privkey_attr++;
+		}
 		if (opt_allowed_mechanisms_len > 0) {
 			FILL_ATTR(privkey_templ[n_privkey_attr],
 				CKA_ALLOWED_MECHANISMS, opt_allowed_mechanisms,
@ -3302,7 +3313,7 @@ static int write_object(CK_SESSION_HANDLE session)
 		break;
 	case CKO_SECRET_KEY:
 		clazz = CKO_SECRET_KEY;
-		type = CKK_AES;
+		type = CKK_GENERIC_SECRET;

 		if (opt_key_type != 0) {
 			if (strncasecmp(opt_key_type, "AES:", strlen("AES:")) == 0)
@ -3336,6 +3347,14 @@ static int write_object(CK_SESSION_HANDLE session)
 			FILL_ATTR(seckey_templ[n_seckey_attr], CKA_SENSITIVE, &_false, sizeof(_false));
 			n_seckey_attr++;
 		}
+		if (opt_is_extractable != 0) {
+			FILL_ATTR(seckey_templ[n_seckey_attr], CKA_EXTRACTABLE, &_true, sizeof(_true));
+			n_seckey_attr++;
+		}
+		else {
+			FILL_ATTR(seckey_templ[n_seckey_attr], CKA_EXTRACTABLE, &_false, sizeof(_false));
+			n_seckey_attr++;
+		}

 		if (opt_object_label != NULL) {
 			FILL_ATTR(seckey_templ[n_seckey_attr], CKA_LABEL, opt_object_label, strlen(opt_object_label));