in kmsp11/session.cc [570:611]
absl::StatusOr<CK_OBJECT_HANDLE> Session::GenerateKey(
const CK_MECHANISM& mechanism,
absl::Span<const CK_ATTRIBUTE> secret_key_attrs,
bool experimental_create_multiple_versions, bool allow_software_keys) {
if (session_type_ == SessionType::kReadOnly) {
return SessionReadOnlyError(SOURCE_LOCATION);
}
switch (mechanism.mechanism) {
case CKM_GENERIC_SECRET_KEY_GEN:
case CKM_AES_KEY_GEN:
break;
default:
return InvalidMechanismError(mechanism.mechanism, "GenerateKey",
SOURCE_LOCATION);
}
if (mechanism.pParameter || mechanism.ulParameterLen > 0) {
return InvalidMechanismParamError(
"key generation mechanisms do not take parameters", SOURCE_LOCATION);
}
ASSIGN_OR_RETURN(
KeyGenerationParams gen_params,
ExtractKeyGenerationParams(secret_key_attrs, allow_software_keys));
if (gen_params.algorithm.key_gen_mechanism != mechanism.mechanism) {
return NewInvalidArgumentError("algorithm mismatches keygen mechanism",
CKR_TEMPLATE_INCONSISTENT, SOURCE_LOCATION);
}
ASSIGN_OR_RETURN(
CryptoKeyAndVersion key_and_version,
CreateKeyAndVersion(*kms_client_, token_->key_ring_name(), gen_params,
experimental_create_multiple_versions,
allow_software_keys));
RETURN_IF_ERROR(token_->RefreshState(*kms_client_));
return token_->FindSingleObject([&](const Object& o) -> bool {
return o.kms_key_name() == key_and_version.crypto_key_version.name() &&
o.object_class() == CKO_SECRET_KEY;
});
}