6669251 KMF needs to support empty PINs

6669357 KMF pkcs11 incorrectly sets some attributes when creating certificates and keys
6679525 [CLI] Subcommands in pktool's help are overtranslated
6680520 pktool needs to prompt for PIN more often

8 files changed, 206 insertions, 95 deletions

diff --git a/usr/src/cmd/cmd-crypto/pktool/common.c b/usr/src/cmd/cmd-crypto/pktool/common.c
index 95c5e2e229..55eb70826f 100644
--- a/usr/src/cmd/cmd-crypto/pktool/common.c
+++ b/usr/src/cmd/cmd-crypto/pktool/common.c
@@ -1174,3 +1174,25 @@ verify_ekunames(char *ekuliststr, EKU_LIST **ekulist)
 
 	return (rv);
 }
+
+KMF_RETURN
+token_auth_needed(KMF_HANDLE_T handle, char *tokenlabel, int *auth)
+{
+	CK_TOKEN_INFO info;
+	CK_SLOT_ID slot;
+	CK_RV ckrv;
+	KMF_RETURN rv;
+
+	*auth = 0;
+	rv = kmf_pk11_token_lookup(handle, tokenlabel, &slot);
+	if (rv != KMF_OK)
+		return (rv);
+
+	ckrv = C_GetTokenInfo(slot, &info);
+	if (ckrv != KMF_OK)
+		return (KMF_ERR_INTERNAL);
+
+	*auth = (info.flags & CKF_LOGIN_REQUIRED);
+
+	return (KMF_OK);
+}
diff --git a/usr/src/cmd/cmd-crypto/pktool/common.h b/usr/src/cmd/cmd-crypto/pktool/common.h
index 70a3181534..fc2614938a 100644
--- a/usr/src/cmd/cmd-crypto/pktool/common.h
+++ b/usr/src/cmd/cmd-crypto/pktool/common.h
@@ -128,6 +128,7 @@ KMF_RETURN verify_altname(char *arg, KMF_GENERALNAMECHOICES *, int *);
 KMF_RETURN verify_keyusage(char *arg, uint16_t *, int *);
 KMF_RETURN verify_file(char *);
 KMF_RETURN verify_ekunames(char *, EKU_LIST **);
+KMF_RETURN token_auth_needed(KMF_HANDLE_T, char *, int *);
 
 void free_eku_list(EKU_LIST *);
 
@@ -135,6 +136,7 @@ int yn_to_int(char *);
 
 int get_token_password(KMF_KEYSTORE_TYPE, char *, KMF_CREDENTIAL *);
 void display_error(void *, KMF_RETURN, char *);
+
 #define	DEFAULT_NSS_TOKEN	"internal"
 #define	DEFAULT_TOKEN_PROMPT	"Enter PIN for %s: "
 
diff --git a/usr/src/cmd/cmd-crypto/pktool/gencert.c b/usr/src/cmd/cmd-crypto/pktool/gencert.c
index 4f4652e6ee..c5927e52c5 100644
--- a/usr/src/cmd/cmd-crypto/pktool/gencert.c
+++ b/usr/src/cmd/cmd-crypto/pktool/gencert.c
@@ -119,7 +119,7 @@ gencert_pkcs11(KMF_HANDLE_T kmfhandle,
 		numattr++;
 	}
 
-	if (tokencred != NULL && tokencred->credlen > 0) {
+	if (tokencred != NULL && tokencred->cred != NULL) {
 		kmf_set_attr_at_index(attrlist, numattr,
 		    KMF_CREDENTIAL_ATTR, tokencred,
 		    sizeof (KMF_CREDENTIAL));
@@ -537,7 +537,7 @@ gencert_nss(KMF_HANDLE_T kmfhandle,
 		numattr++;
 	}
 
-	if (tokencred != NULL && tokencred->credlen > 0) {
+	if (tokencred != NULL && tokencred->cred != NULL) {
 		kmf_set_attr_at_index(attrlist, numattr,
 		    KMF_CREDENTIAL_ATTR, tokencred,
 		    sizeof (KMF_CREDENTIAL));
diff --git a/usr/src/cmd/cmd-crypto/pktool/genkey.c b/usr/src/cmd/cmd-crypto/pktool/genkey.c
index de9e9c858e..5c9b2616ae 100644
--- a/usr/src/cmd/cmd-crypto/pktool/genkey.c
+++ b/usr/src/cmd/cmd-crypto/pktool/genkey.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -87,7 +87,7 @@ genkey_nss(KMF_HANDLE_T kmfhandle, char *token, char *dir, char *prefix,
 		i++;
 	}
 
-	if (tokencred != NULL && tokencred->credlen > 0) {
+	if (tokencred != NULL && tokencred->cred != NULL) {
 		kmf_set_attr_at_index(attlist, i,
 		    KMF_CREDENTIAL_ATTR, tokencred,
 		    sizeof (KMF_CREDENTIAL));
@@ -191,7 +191,7 @@ genkey_pkcs11(KMF_HANDLE_T kmfhandle, char *token,
 		i++;
 	}
 
-	if (tokencred != NULL && tokencred->credlen > 0) {
+	if (tokencred != NULL && tokencred->cred != NULL) {
 		kmf_set_attr_at_index(attlist, i,
 		    KMF_CREDENTIAL_ATTR, tokencred,
 		    sizeof (KMF_CREDENTIAL));
diff --git a/usr/src/cmd/cmd-crypto/pktool/import.c b/usr/src/cmd/cmd-crypto/pktool/import.c
index edcb62332f..d9cdc41cc4 100644
--- a/usr/src/cmd/cmd-crypto/pktool/import.c
+++ b/usr/src/cmd/cmd-crypto/pktool/import.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -376,6 +376,7 @@ pk_import_cert(
 {
 	KMF_RETURN rv = KMF_OK;
 	KMF_ATTRIBUTE attrlist[32];
+	KMF_CREDENTIAL tokencred;
 	int i = 0;
 
 	if (kstype == KMF_KEYSTORE_PK11TOKEN) {
@@ -416,6 +417,18 @@ pk_import_cert(
 	}
 
 	rv = kmf_import_cert(kmfhandle, i, attrlist);
+	if (rv == KMF_ERR_AUTH_FAILED) {
+		/*
+		 * The token requires a credential, prompt and try again.
+		 */
+		(void) get_token_password(kstype, token_spec, &tokencred);
+		kmf_set_attr_at_index(attrlist, i, KMF_CREDENTIAL_ATTR,
+		    &tokencred, sizeof (KMF_CREDENTIAL));
+		i++;
+
+		rv = kmf_import_cert(kmfhandle, i, attrlist);
+
+	}
 	return (rv);
 }
 
diff --git a/usr/src/cmd/cmd-crypto/pktool/list.c b/usr/src/cmd/cmd-crypto/pktool/list.c
index 02f4da1d65..ad20acb868 100644
--- a/usr/src/cmd/cmd-crypto/pktool/list.c
+++ b/usr/src/cmd/cmd-crypto/pktool/list.c
@@ -311,11 +311,13 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 	KMF_RETURN rv;
 	KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
 	int numattr = 0;
-	KMF_ATTRIBUTE attrlist[16];
+	KMF_ATTRIBUTE attrlist[18];
 	boolean_t token_bool = B_TRUE;
 	boolean_t private = B_FALSE;
 	KMF_KEY_CLASS keyclass;
 	KMF_ENCODE_FORMAT format;
+	int auth = 0;
+	KMF_CREDENTIAL cred = {NULL, 0};
 
 	/*
 	 * Symmetric keys and RSA/DSA private keys are always
@@ -332,6 +334,13 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 		return (rv);
 	}
 
+	rv = token_auth_needed(kmfhandle, token, &auth);
+	if (rv != KMF_OK)
+		return (rv);
+
+	if (tokencred != NULL)
+		cred = *tokencred;
+
 	if (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ)) {
 		kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
 		    &kstype, sizeof (kstype));
@@ -409,6 +418,16 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 		if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
 			int num = numattr;
 
+			if (auth > 0 && (tokencred == NULL ||
+			    tokencred->cred == NULL) &&
+			    (cred.cred == NULL)) {
+				(void) get_token_password(kstype, token, &cred);
+				kmf_set_attr_at_index(attrlist, numattr,
+				    KMF_CREDENTIAL_ATTR,
+				    &cred, sizeof (KMF_CREDENTIAL));
+				numattr++;
+			}
+
 			private = B_FALSE;
 			keyclass = KMF_ASYM_PUB;
 			kmf_set_attr_at_index(attrlist, num,
@@ -429,7 +448,18 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 	if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
 		kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
 		    &kstype, sizeof (kstype));
+
 		numattr++;
+		if (auth > 0 && (cred.cred == NULL)) {
+			(void) get_token_password(kstype, token, &cred);
+		}
+
+		if (cred.cred != NULL) {
+			kmf_set_attr_at_index(attrlist, numattr,
+			    KMF_CREDENTIAL_ATTR,
+			    &cred, sizeof (KMF_CREDENTIAL));
+			numattr++;
+		}
 
 		if (objlabel != NULL) {
 			kmf_set_attr_at_index(attrlist, numattr,
@@ -452,7 +482,7 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 			numattr++;
 		}
 
-		if (serial != NULL) {
+		if (serial != NULL && serial->val != NULL) {
 			kmf_set_attr_at_index(attrlist, numattr,
 			    KMF_BIGINT_ATTR, serial,
 			    sizeof (KMF_BIGINT));
diff --git a/usr/src/cmd/cmd-crypto/pktool/pktool.c b/usr/src/cmd/cmd-crypto/pktool/pktool.c
index d781f62a65..c9fb819591 100644
--- a/usr/src/cmd/cmd-crypto/pktool/pktool.c
+++ b/usr/src/cmd/cmd-crypto/pktool/pktool.c
@@ -73,26 +73,26 @@ extern int	pk_signcsr(int argc, char *argv[]);
 static int	pk_help(int argc, char *argv[]);
 
 #define	TOKEN_IDX 0
-#define	TOKEN_VERB gettext("tokens")
+#define	TOKEN_VERB "tokens"
 #define	TOKEN_SUMM gettext("lists all visible PKCS#11 tokens")
-#define	TOKEN_SYN  gettext("tokens")
+#define	TOKEN_SYN  "tokens"
 
 #define	SETPIN_IDX 1
-#define	SETPIN_VERB gettext("setpin")
+#define	SETPIN_VERB "setpin"
 #define	SETPIN_SUMM gettext("changes user authentication passphrase "\
 	"for keystore access")
-#define	SETPIN_SYN gettext(\
+#define	SETPIN_SYN \
 	"setpin [ keystore=pkcs11 ]\n\t\t" \
 	"[ token=token[:manuf[:serial]]]\n\t" \
 	"setpin keystore=nss\n\t\t" \
 	"[ token=token ]\n\t\t" \
 	"[ dir=directory-path ]\n\t\t" \
-	"[ prefix=DBprefix ]\n\t")
+	"[ prefix=DBprefix ]\n\t"
 
 #define	LIST_IDX 2
-#define	LIST_VERB gettext("list")
+#define	LIST_VERB "list"
 #define	LIST_SUMM gettext("lists a summary of objects in the keystore")
-#define	LIST_SYN gettext(\
+#define	LIST_SYN \
 	"list [ token=token[:manuf[:serial]]]\n\t\t" \
 	"[ objtype=private|public|both ]\n\t\t" \
 	"[ label=label ]\n\t" \
@@ -146,12 +146,12 @@ static int	pk_help(int argc, char *argv[]);
  \
 	"list keystore=file objtype=crl\n\t\t" \
 	"infile=crl-fn\n\t\t" \
-	"[ dir=directory-path ]\n\t")
+	"[ dir=directory-path ]\n\t"
 
 #define	DELETE_IDX 3
-#define	DELETE_VERB gettext("delete")
+#define	DELETE_VERB "delete"
 #define	DELETE_SUMM gettext("deletes objects in the keystore")
-#define	DELETE_SYN gettext(\
+#define	DELETE_SYN \
 	"delete [ token=token[:manuf[:serial]]]\n\t\t" \
 	"[ objtype=private|public|both ]\n\t\t" \
 	"[ label=object-label ]\n\t" \
@@ -212,12 +212,12 @@ static int	pk_help(int argc, char *argv[]);
  \
 	"delete keystore=file objtype=crl\n\t\t" \
 	"infile=crl-fn\n\t\t" \
-	"[ dir=directory-path ]\n\t")
+	"[ dir=directory-path ]\n\t"
 
 #define	IMPORT_IDX 4
-#define	IMPORT_VERB gettext("import")
+#define	IMPORT_VERB "import"
 #define	IMPORT_SUMM gettext("imports objects from an external source")
-#define	IMPORT_SYN gettext(\
+#define	IMPORT_SYN \
 	"import [token=token[:manuf[:serial]]]\n\t\t" \
 	"infile=input-fn\n\t" \
  \
@@ -263,12 +263,12 @@ static int	pk_help(int argc, char *argv[]);
 	"infile=input-crl-fn\n\t\t" \
 	"outcrl=output-crl-fn\n\t\t" \
 	"outformat=pem|der\n\t\t" \
-	"[ dir=output-crl-directory-path ]\n\t")
+	"[ dir=output-crl-directory-path ]\n\t"
 
 #define	EXPORT_IDX 5
-#define	EXPORT_VERB gettext("export")
+#define	EXPORT_VERB "export"
 #define	EXPORT_SUMM gettext("exports objects from the keystore to a file")
-#define	EXPORT_SYN gettext(\
+#define	EXPORT_SYN \
 	"export [token=token[:manuf[:serial]]]\n\t\t" \
 	"outfile=output-fn\n\t" \
  \
@@ -298,12 +298,12 @@ static int	pk_help(int argc, char *argv[]);
 	"certfile=cert-input-fn\n\t\t" \
 	"keyfile=key-input-fn\n\t\t" \
 	"outfile=output-pkcs12-fn\n\t\t" \
-	"[ dir=directory-path ]\n\t")
+	"[ dir=directory-path ]\n\t"
 
 #define	GENCERT_IDX 6
-#define	GENCERT_VERB gettext("gencert")
+#define	GENCERT_VERB "gencert"
 #define	GENCERT_SUMM gettext("creates a self-signed X.509v3 certificate")
-#define	GENCERT_SYN gettext(\
+#define	GENCERT_SYN \
 	"gencert [-i] keystore=nss\n\t\t" \
 	"label=cert-nickname\n\t\t" \
 	"serial=serial number hex string]\n\t\t" \
@@ -344,14 +344,14 @@ static int	pk_help(int argc, char *argv[]);
 	"[ keytype=rsa|dsa ]\n\t\t" \
 	"[ keylen=key-size ]\n\t\t" \
 	"[ eku=[critical:]EKU name,...]\n\t\t" \
-	"[ lifetime=number-hour|number-day|number-year ]\n\t")
+	"[ lifetime=number-hour|number-day|number-year ]\n\t"
 
 #define	GENCSR_IDX 7
-#define	GENCSR_VERB gettext("gencsr")
+#define	GENCSR_VERB "gencsr"
 #define	GENCSR_SUMM gettext("creates a PKCS#10 certificate signing " \
 	"request file")
 
-#define	GENCSR_SYN gettext(\
+#define	GENCSR_SYN \
 	"gencsr [-i] keystore=nss \n\t\t" \
 	"nickname=cert-nickname\n\t\t" \
 	"outcsr=csr-fn\n\t\t" \
@@ -388,22 +388,22 @@ static int	pk_help(int argc, char *argv[]);
 	"[ keylen=key-size ]\n\t\t" \
 	"[ eku=[critical:]EKU name,...]\n\t\t" \
 	"[ dir=directory-path ]\n\t\t" \
-	"[ format=pem|der ]\n\t")
+	"[ format=pem|der ]\n\t"
 
 #define	DOWNLOAD_IDX 8
-#define	DOWNLOAD_VERB gettext("download")
+#define	DOWNLOAD_VERB "download"
 #define	DOWNLOAD_SUMM gettext("downloads a CRL or certificate file " \
 	"from an external source")
-#define	DOWNLOAD_SYN gettext(\
+#define	DOWNLOAD_SYN \
 	"download url=url_str\n\t\t" \
 	"[ objtype=crl|cert ]\n\t\t" \
 	"[ http_proxy=proxy_str ]\n\t\t" \
-	"[ outfile = outfile ]\n\t")
+	"[ outfile = outfile ]\n\t"
 
 #define	GENKEY_IDX 9
-#define	GENKEY_VERB gettext("genkey")
+#define	GENKEY_VERB "genkey"
 #define	GENKEY_SUMM gettext("creates a symmetric key in the keystore")
-#define	GENKEY_SYN gettext(\
+#define	GENKEY_SYN \
 	"genkey [ keystore=pkcs11 ]\n\t\t" \
 	"label=key-label\n\t\t" \
 	"[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" \
@@ -426,12 +426,12 @@ static int	pk_help(int argc, char *argv[]);
 	"[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" \
 	"[ keylen=key-size (AES, ARCFOUR or GENERIC only)]\n\t\t" \
 	"[ dir=directory-path ]\n\t\t" \
-	"[ print=y|n ]\n\t")
+	"[ print=y|n ]\n\t"
 
 #define	SIGNCSR_IDX 10
-#define	SIGNCSR_VERB gettext("signcsr")
+#define	SIGNCSR_VERB "signcsr"
 #define	SIGNCSR_SUMM gettext("Sign a PKCS#10 Certificate Signing Request")
-#define	SIGNCSR_SYN gettext(\
+#define	SIGNCSR_SYN \
 	"signcsr keystore=pkcs11\n\t\t" \
 	"signkey=label (label of signing key)\n\t\t" \
 	"csr=CSR filename\n\t\t" \
@@ -477,12 +477,12 @@ static int	pk_help(int argc, char *argv[]);
 	"[ lifetime=number-hour|number-day|number-year ]\n\t\t" \
 	"[ token=token[:manuf[:serial]]]\n\t\t" \
 	"[ dir=directory-path ]\n\t\t" \
-	"[ prefix=DBprefix ]\n\t")
+	"[ prefix=DBprefix ]\n\t"
 
 #define	HELP_IDX 11
-#define	HELP_VERB gettext("help")
+#define	HELP_VERB "help"
 #define	HELP_SUMM gettext("displays help message")
-#define	HELP_SYN gettext("help\t(help and usage)")
+#define	HELP_SYN "help\t(help and usage)"
 
 /* Command structure for verbs and their actions.  Do NOT i18n/l10n. */
 static verbcmd	cmds[] = {
@@ -555,7 +555,6 @@ init_command_list()
 	cmds[HELP_IDX].verb = HELP_VERB;
 	cmds[HELP_IDX].summary = HELP_SUMM;
 	cmds[HELP_IDX].synopsis = HELP_SYN;
-
 }
 
 /*
@@ -583,9 +582,10 @@ usage(int idx)
 			(void) fprintf(stdout, "   %-8s	- %s\n",
 			    cmds[i].verb, cmds[i].summary);
 		}
-		(void) fprintf(stdout, gettext("\nFurther details on the "
-		    "subcommands can be found by adding \'help\'.\n"
-		    "Ex: pktool gencert help\n\n"));
+		(void) fprintf(stdout, "%s \'help\'.\n"
+		    "Ex: pktool gencert help\n\n",
+		    gettext("\nFurther details on the "
+		    "subcommands can be found by adding"));
 	} else {
 		(void) fprintf(stdout, "\t%s\n", cmds[idx].synopsis);
 	}
diff --git a/usr/src/lib/libkmf/plugins/kmf_pkcs11/common/pkcs11_spi.c b/usr/src/lib/libkmf/plugins/kmf_pkcs11/common/pkcs11_spi.c
index ad4043c065..04a65a10ed 100644
--- a/usr/src/lib/libkmf/plugins/kmf_pkcs11/common/pkcs11_spi.c
+++ b/usr/src/lib/libkmf/plugins/kmf_pkcs11/common/pkcs11_spi.c
@@ -207,7 +207,7 @@ pk11_authenticate(KMF_HANDLE_T handle,
 	if (hSession == NULL)
 		return (KMF_ERR_NO_TOKEN_SELECTED);
 
-	if (cred == NULL || cred->cred == NULL || cred->credlen == 0) {
+	if (cred == NULL || cred->cred == NULL) {
 		return (KMF_ERR_BAD_PARAMETER);
 	}
 
@@ -686,6 +686,7 @@ KMFPK11_FindCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
 	char *subject = NULL;
 	KMF_BIGINT *serial = NULL;
 	KMF_CERT_VALIDITY validity;
+	KMF_CREDENTIAL *cred = NULL;
 	boolean_t private;
 
 	if (kmfh == NULL)
@@ -729,6 +730,13 @@ KMFPK11_FindCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
 		rv = KMF_OK;
 	}
 
+	cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
+	if (cred != NULL) {
+		rv = pk11_authenticate(handle, cred);
+		if (rv != KMF_OK)
+			return (rv);
+	}
+
 	/* Start searching */
 	rv = search_certs(handle, certlabel, issuer, subject, serial, private,
 	    validity, &objlist, num_certs);
@@ -805,16 +813,16 @@ KMFPK11_EncodePubKeyData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *pKey,
 
 	SETATTR(rsaTemplate, 0, CKA_CLASS, &ckObjClass, sizeof (ckObjClass));
 	SETATTR(rsaTemplate, 1, CKA_KEY_TYPE, &ckKeyType, sizeof (ckKeyType));
-	SETATTR(rsaTemplate, 2, CKA_MODULUS, Modulus.Data, &Modulus.Length);
+	SETATTR(rsaTemplate, 2, CKA_MODULUS, Modulus.Data, Modulus.Length);
 	SETATTR(rsaTemplate, 3, CKA_PUBLIC_EXPONENT, Exponent.Data,
-	    &Exponent.Length);
+	    Exponent.Length);
 
 	SETATTR(dsaTemplate, 0, CKA_CLASS, &ckObjClass, sizeof (ckObjClass));
 	SETATTR(dsaTemplate, 1, CKA_KEY_TYPE, &ckKeyType, sizeof (ckKeyType));
-	SETATTR(dsaTemplate, 2, CKA_PRIME, Prime.Data, &Prime.Length);
-	SETATTR(dsaTemplate, 3, CKA_SUBPRIME, Subprime.Data, &Subprime.Length);
-	SETATTR(dsaTemplate, 4, CKA_BASE, Base.Data, &Base.Length);
-	SETATTR(dsaTemplate, 5, CKA_VALUE, Value.Data, &Value.Length);
+	SETATTR(dsaTemplate, 2, CKA_PRIME, Prime.Data, Prime.Length);
+	SETATTR(dsaTemplate, 3, CKA_SUBPRIME, Subprime.Data, Subprime.Length);
+	SETATTR(dsaTemplate, 4, CKA_BASE, Base.Data, Base.Length);
+	SETATTR(dsaTemplate, 5, CKA_VALUE, Value.Data, Value.Length);
 
 	switch (pKey->keyalg) {
 		case KMF_RSA:
@@ -1042,7 +1050,6 @@ cleanup:
 	return (ret);
 }
 
-
 static KMF_RETURN
 CreateCertObject(KMF_HANDLE_T handle, char *label, KMF_DATA *pcert)
 {
@@ -1127,7 +1134,6 @@ CreateCertObject(KMF_HANDLE_T handle, char *label, KMF_DATA *pcert)
 	    &Id);
 
 	if (rv != KMF_OK) {
-		SET_ERROR(kmfh, rv);
 		goto cleanup;
 	}
 
@@ -1152,8 +1158,17 @@ CreateCertObject(KMF_HANDLE_T handle, char *label, KMF_DATA *pcert)
 	 */
 	ckrv = C_CreateObject(kmfh->pk11handle, x509templ, i, &hCert);
 	if (ckrv != CKR_OK) {
-		SET_ERROR(kmfh, rv);
-		rv = KMF_ERR_INTERNAL;
+		/* Report authentication failures to the caller */
+		if (ckrv == CKR_USER_NOT_LOGGED_IN ||
+		    ckrv == CKR_PIN_INCORRECT ||
+		    ckrv == CKR_PIN_INVALID ||
+		    ckrv == CKR_PIN_EXPIRED ||
+		    ckrv == CKR_PIN_LOCKED ||
+		    ckrv == CKR_SESSION_READ_ONLY)
+			rv = KMF_ERR_AUTH_FAILED;
+		else
+			rv = KMF_ERR_INTERNAL;
+		SET_ERROR(kmfh, ckrv);
 	}
 	free(subject);
 	free(issuer);
@@ -1176,6 +1191,7 @@ KMFPK11_StoreCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
 	KMF_RETURN rv = 0;
 	KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
 	KMF_DATA *cert = NULL;
+	KMF_CREDENTIAL *cred = NULL;
 	char *label = NULL;
 
 	if (kmfh == NULL)
@@ -1191,6 +1207,13 @@ KMFPK11_StoreCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
 	/* label attribute is optional */
 	label = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
 
+	cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
+	if (cred != NULL) {
+		rv = pk11_authenticate(handle, cred);
+		if (rv != KMF_OK)
+			return (rv);
+	}
+
 	rv = CreateCertObject(handle, label, cert);
 	return (rv);
 }
@@ -1203,6 +1226,7 @@ KMFPK11_ImportCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
 	char *certfile = NULL;
 	char *label = NULL;
 	KMF_ENCODE_FORMAT format;
+	KMF_CREDENTIAL *cred = NULL;
 	KMF_DATA  cert1 = { NULL, 0};
 	KMF_DATA  cert2 = { NULL, 0};
 
@@ -1247,6 +1271,13 @@ KMFPK11_ImportCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
 		cert2.Length = (size_t)derlen;
 	}
 
+	cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
+	if (cred != NULL) {
+		rv = pk11_authenticate(handle, cred);
+		if (rv != KMF_OK)
+			return (rv);
+	}
+
 	rv = CreateCertObject(handle, label,
 	    format == KMF_FORMAT_ASN1 ? &cert1 : &cert2);
 
@@ -1350,7 +1381,6 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 	static CK_OBJECT_CLASS	priClass = CKO_PRIVATE_KEY;
 	static CK_OBJECT_CLASS	pubClass = CKO_PUBLIC_KEY;
 
-	static CK_ULONG	rsaKeyType = CKK_RSA;
 	static CK_ULONG	modulusBits = 1024;
 	uint32_t	modulusBits_size = sizeof (CK_ULONG);
 	static CK_BYTE	PubExpo[3] = {0x01, 0x00, 0x01};
@@ -1478,7 +1508,7 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 	if (keytype == KMF_RSA) {
 		CK_MECHANISM keyGenMech = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0};
 		CK_BYTE *modulus;
-		CK_ULONG modulusLength;
+		CK_ULONG modulusLength = 0;
 		CK_ATTRIBUTE modattr[1];
 		KMF_BIGINT *rsaexp = NULL;
 		int numpubattr = 0, numpriattr = 0;
@@ -1491,18 +1521,10 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 		if (rv != KMF_OK)
 			return (KMF_ERR_BAD_PARAMETER);
 
-		SETATTR(rsaPubKeyTemplate, numpubattr, CKA_CLASS,
-		    &pubClass, sizeof (pubClass));
-		numpubattr++;
-		SETATTR(rsaPubKeyTemplate, numpubattr, CKA_KEY_TYPE,
-		    &rsaKeyType, sizeof (rsaKeyType));
-		numpubattr++;
 		SETATTR(rsaPubKeyTemplate, numpubattr, CKA_TOKEN,
 		    (storekey ? &true : &false), sizeof (CK_BBOOL));
 		numpubattr++;
-		SETATTR(rsaPubKeyTemplate, numpubattr, CKA_PRIVATE,
-		    &false, sizeof (false));
-		numpubattr++;
+
 		SETATTR(rsaPubKeyTemplate, numpubattr, CKA_MODULUS_BITS,
 		    &modulusBits, sizeof (modulusBits));
 		numpubattr++;
@@ -1526,13 +1548,10 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 		SETATTR(rsaPubKeyTemplate, numpubattr, CKA_VERIFY,
 		    &true, sizeof (true));
 		numpubattr++;
+		SETATTR(rsaPubKeyTemplate, numpubattr, CKA_WRAP,
+		    &true, sizeof (true));
+		numpubattr++;
 
-		SETATTR(rsaPriKeyTemplate, numpriattr, CKA_CLASS, &priClass,
-		    sizeof (priClass));
-		numpriattr++;
-		SETATTR(rsaPriKeyTemplate, numpriattr, CKA_KEY_TYPE,
-		    &rsaKeyType, sizeof (rsaKeyType));
-		numpriattr++;
 		SETATTR(rsaPriKeyTemplate, numpriattr, CKA_TOKEN,
 		    (storekey ? &true : &false), sizeof (CK_BBOOL));
 		numpriattr++;
@@ -1545,8 +1564,10 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 		SETATTR(rsaPriKeyTemplate, numpriattr, CKA_SIGN, &true,
 		    sizeof (true));
 		numpriattr++;
+		SETATTR(rsaPriKeyTemplate, numpriattr, CKA_UNWRAP, &true,
+		    sizeof (true));
+		numpriattr++;
 
-		SETATTR(modattr, 0, CKA_MODULUS, NULL, &modulusLength);
 
 		pubKey = CK_INVALID_HANDLE;
 		priKey = CK_INVALID_HANDLE;
@@ -1569,10 +1590,11 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 		pubkey->keyclass = KMF_ASYM_PUB;
 		pubkey->keyp = (void *)pubKey;
 
+		SETATTR(modattr, 0, CKA_MODULUS, NULL, modulusLength);
 		/* Get the Modulus field to use as input for creating the ID */
-		rv = C_GetAttributeValue(kmfh->pk11handle,
+		ckrv = C_GetAttributeValue(kmfh->pk11handle,
 		    (CK_OBJECT_HANDLE)pubKey, modattr, 1);
-		if (rv != CKR_OK) {
+		if (ckrv != CKR_OK) {
 			SET_ERROR(kmfh, ckrv);
 			return (KMF_ERR_BAD_PARAMETER);
 		}
@@ -1583,9 +1605,9 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 			return (KMF_ERR_MEMORY);
 
 		modattr[0].pValue = modulus;
-		rv = C_GetAttributeValue(kmfh->pk11handle,
+		ckrv = C_GetAttributeValue(kmfh->pk11handle,
 		    (CK_OBJECT_HANDLE)pubKey, modattr, 1);
-		if (rv != CKR_OK) {
+		if (ckrv != CKR_OK) {
 			SET_ERROR(kmfh, ckrv);
 			free(modulus);
 			return (KMF_ERR_BAD_PARAMETER);
@@ -1626,9 +1648,9 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 		pubkey->keyp = (void *)pubKey;
 
 		/* Get the Public Value to use as input for creating the ID */
-		rv = C_GetAttributeValue(hSession,
+		ckrv = C_GetAttributeValue(hSession,
 		    (CK_OBJECT_HANDLE)pubKey, valattr, 1);
-		if (rv != CKR_OK) {
+		if (ckrv != CKR_OK) {
 			SET_ERROR(kmfh, ckrv);
 			return (KMF_ERR_BAD_PARAMETER);
 		}
@@ -1639,9 +1661,9 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 			return (KMF_ERR_MEMORY);
 
 		valattr[0].pValue = keyvalue;
-		rv = C_GetAttributeValue(hSession,
+		ckrv = C_GetAttributeValue(hSession,
 		    (CK_OBJECT_HANDLE)pubKey, valattr, 1);
-		if (rv != CKR_OK) {
+		if (ckrv != CKR_OK) {
 			SET_ERROR(kmfh, ckrv);
 			free(keyvalue);
 			return (KMF_ERR_BAD_PARAMETER);
@@ -1698,7 +1720,6 @@ KMFPK11_CreateKeypair(KMF_HANDLE_T handle,
 	free(IDInput.Data);
 
 	if (rv != CKR_OK) {
-		SET_ERROR(kmfh, rv);
 		goto cleanup;
 	}
 	SETATTR(idattr, 0, CKA_ID, IDOutput.Data, IDOutput.Length);
@@ -1975,7 +1996,6 @@ KMFPK11_FindPrikeyByCert(KMF_HANDLE_T handle, int numattr,
 	/* Generate an ID from the SPKI data */
 	rv = GetIDFromSPKI(pubkey, &Id);
 	if (rv != KMF_OK) {
-		SET_ERROR(kmfh, rv);
 		goto errout;
 	}
 
@@ -2002,7 +2022,7 @@ KMFPK11_FindPrikeyByCert(KMF_HANDLE_T handle, int numattr,
 		goto errout;
 	}
 
-	if ((rv = C_FindObjects(kmfh->pk11handle, &pri_obj, 1,
+	if ((ckrv = C_FindObjects(kmfh->pk11handle, &pri_obj, 1,
 	    &obj_count)) != CKR_OK) {
 		SET_ERROR(kmfh, ckrv);
 		rv = KMF_ERR_INTERNAL;
@@ -2253,9 +2273,9 @@ get_raw_rsa(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_RSA_KEY *rawrsa)
 		}
 	}
 	/* Now that we have space, really get the attributes */
-	if ((rv = C_GetAttributeValue(sess, obj,
+	if ((ckrv = C_GetAttributeValue(sess, obj,
 	    rsa_pri_attrs, count)) != CKR_OK) {
-		SET_ERROR(kmfh, rv);
+		SET_ERROR(kmfh, ckrv);
 		rv = KMF_ERR_INTERNAL;
 		goto end;
 	}
@@ -2413,9 +2433,9 @@ get_raw_dsa(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_DSA_KEY *rawdsa)
 			goto end;
 		}
 	}
-	if ((rv = C_GetAttributeValue(sess, obj,
+	if ((ckrv = C_GetAttributeValue(sess, obj,
 	    dsa_pri_attrs, count)) != CKR_OK) {
-		SET_ERROR(kmfh, rv);
+		SET_ERROR(kmfh, ckrv);
 		rv = KMF_ERR_INTERNAL;
 		goto end;
 	}
@@ -2474,8 +2494,8 @@ get_raw_sym(KMF_HANDLE *kmfh, CK_OBJECT_HANDLE obj, KMF_RAW_SYM_KEY *rawsym)
 	}
 
 	/* get the key data */
-	if ((rv = C_GetAttributeValue(sess, obj, sym_attr, 1)) != CKR_OK) {
-		SET_ERROR(kmfh, rv);
+	if ((ckrv = C_GetAttributeValue(sess, obj, sym_attr, 1)) != CKR_OK) {
+		SET_ERROR(kmfh, ckrv);
 		free(sym_attr[0].pValue);
 		return (KMF_ERR_INTERNAL);
 	}
@@ -2734,7 +2754,7 @@ KMFPK11_FindKey(KMF_HANDLE_T handle,
 	 * a private or secred key, or if the user passed in credentials.
 	 */
 	cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
-	if (cred != NULL && (cred->credlen > 0)) {
+	if (cred != NULL) {
 		rv = pk11_authenticate(handle, cred);
 		if (rv != KMF_OK)
 			return (rv);
@@ -2906,6 +2926,7 @@ store_raw_key(KMF_HANDLE_T handle,
 	char		*notbefore = NULL, *start = NULL;
 	char		*notafter = NULL, *end = NULL;
 	char		*keylabel = NULL;
+	KMF_CREDENTIAL	*cred = NULL;
 
 	if (kmfh == NULL)
 		return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
@@ -2920,6 +2941,13 @@ store_raw_key(KMF_HANDLE_T handle,
 	else
 		return (KMF_ERR_BAD_PARAMETER);
 
+	cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
+	if (cred != NULL) {
+		rv = pk11_authenticate(handle, cred);
+		if (rv != KMF_OK)
+			return (rv);
+	}
+
 	keylabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attrlist, numattr);
 	/*
 	 * If the caller did not specify a label, see if the raw key
@@ -3337,8 +3365,16 @@ KMFPK11_CreateSymKey(KMF_HANDLE_T handle,
 		    &keyhandle);
 	}
 	if (ckrv != CKR_OK) {
+		if (ckrv == CKR_USER_NOT_LOGGED_IN ||
+		    ckrv == CKR_PIN_INCORRECT ||
+		    ckrv == CKR_PIN_INVALID ||
+		    ckrv == CKR_PIN_EXPIRED ||
+		    ckrv == CKR_PIN_LOCKED ||
+		    ckrv == CKR_SESSION_READ_ONLY)
+			rv = KMF_ERR_AUTH_FAILED;
+		else
+			rv = KMF_ERR_KEYGEN_FAILED;
 		SET_ERROR(kmfh, ckrv);
-		rv = KMF_ERR_KEYGEN_FAILED;
 		goto out;
 	}
 
@@ -3781,8 +3817,16 @@ create_generic_secret_key(KMF_HANDLE_T handle,
 
 	ckrv = C_CreateObject(hSession, templ, i, key);
 	if (ckrv != CKR_OK) {
+		if (ckrv == CKR_USER_NOT_LOGGED_IN ||
+		    ckrv == CKR_PIN_INCORRECT ||
+		    ckrv == CKR_PIN_INVALID ||
+		    ckrv == CKR_PIN_EXPIRED ||
+		    ckrv == CKR_PIN_LOCKED ||
+		    ckrv == CKR_SESSION_READ_ONLY)
+			rv = KMF_ERR_AUTH_FAILED;
+		else
+			rv = KMF_ERR_KEYGEN_FAILED;
 		SET_ERROR(kmfh, ckrv);
-		rv = KMF_ERR_KEYGEN_FAILED;
 	}
 
 out: