xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c (revision a8793c76)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 * Copyright 2012 Milan Jurik. All rights reserved.
 * Copyright (c) 2018, Joyent, Inc.
 */

#include <stdlib.h>
#include <string.h>
#include <security/cryptoki.h>
#include <sys/crypto/common.h>
#include <arcfour.h>
#include <aes_impl.h>
#include <blowfish_impl.h>
#include <bignum.h>
#include <des_impl.h>
#include <rsa_impl.h>
#include "softGlobal.h"
#include "softObject.h"
#include "softSession.h"
#include "softKeystore.h"
#include "softKeystoreUtil.h"
#include "softCrypt.h"


/*
 * This attribute table is used by the soft_lookup_attr()
 * to validate the attributes.
 */
CK_ATTRIBUTE_TYPE attr_map[] = {
	CKA_PRIVATE,
	CKA_LABEL,
	CKA_APPLICATION,
	CKA_OBJECT_ID,
	CKA_CERTIFICATE_TYPE,
	CKA_ISSUER,
	CKA_SERIAL_NUMBER,
	CKA_AC_ISSUER,
	CKA_OWNER,
	CKA_ATTR_TYPES,
	CKA_SUBJECT,
	CKA_ID,
	CKA_SENSITIVE,
	CKA_START_DATE,
	CKA_END_DATE,
	CKA_MODULUS,
	CKA_MODULUS_BITS,
	CKA_PUBLIC_EXPONENT,
	CKA_PRIVATE_EXPONENT,
	CKA_PRIME_1,
	CKA_PRIME_2,
	CKA_EXPONENT_1,
	CKA_EXPONENT_2,
	CKA_COEFFICIENT,
	CKA_PRIME,
	CKA_SUBPRIME,
	CKA_BASE,
	CKA_EXTRACTABLE,
	CKA_LOCAL,
	CKA_NEVER_EXTRACTABLE,
	CKA_ALWAYS_SENSITIVE,
	CKA_MODIFIABLE,
	CKA_ECDSA_PARAMS,
	CKA_EC_PARAMS,
	CKA_EC_POINT,
	CKA_SECONDARY_AUTH,
	CKA_AUTH_PIN_FLAGS,
	CKA_HW_FEATURE_TYPE,
	CKA_RESET_ON_INIT,
	CKA_HAS_RESET
};

/*
 * attributes that exists only in public key objects
 * Note: some attributes may also exist in one or two
 *       other object classes, but they are also listed
 *       because not all object have them.
 */
CK_ATTRIBUTE_TYPE PUB_KEY_ATTRS[] =
{
	CKA_SUBJECT,
	CKA_ENCRYPT,
	CKA_WRAP,
	CKA_VERIFY,
	CKA_VERIFY_RECOVER,
	CKA_MODULUS,
	CKA_MODULUS_BITS,
	CKA_PUBLIC_EXPONENT,
	CKA_PRIME,
	CKA_SUBPRIME,
	CKA_BASE,
	CKA_TRUSTED,
	CKA_ECDSA_PARAMS,
	CKA_EC_PARAMS,
	CKA_EC_POINT
};

/*
 * attributes that exists only in private key objects
 * Note: some attributes may also exist in one or two
 *       other object classes, but they are also listed
 *       because not all object have them.
 */
CK_ATTRIBUTE_TYPE PRIV_KEY_ATTRS[] =
{
	CKA_DECRYPT,
	CKA_UNWRAP,
	CKA_SIGN,
	CKA_SIGN_RECOVER,
	CKA_MODULUS,
	CKA_PUBLIC_EXPONENT,
	CKA_PRIVATE_EXPONENT,
	CKA_PRIME,
	CKA_SUBPRIME,
	CKA_BASE,
	CKA_PRIME_1,
	CKA_PRIME_2,
	CKA_EXPONENT_1,
	CKA_EXPONENT_2,
	CKA_COEFFICIENT,
	CKA_VALUE_BITS,
	CKA_SUBJECT,
	CKA_SENSITIVE,
	CKA_EXTRACTABLE,
	CKA_NEVER_EXTRACTABLE,
	CKA_ALWAYS_SENSITIVE,
	CKA_EC_PARAMS
};

/*
 * attributes that exists only in secret key objects
 * Note: some attributes may also exist in one or two
 *       other object classes, but they are also listed
 *       because not all object have them.
 */
CK_ATTRIBUTE_TYPE SECRET_KEY_ATTRS[] =
{
	CKA_VALUE_LEN,
	CKA_ENCRYPT,
	CKA_DECRYPT,
	CKA_WRAP,
	CKA_UNWRAP,
	CKA_SIGN,
	CKA_VERIFY,
	CKA_SENSITIVE,
	CKA_EXTRACTABLE,
	CKA_NEVER_EXTRACTABLE,
	CKA_ALWAYS_SENSITIVE
};

/*
 * attributes that exists only in domain parameter objects
 * Note: some attributes may also exist in one or two
 *       other object classes, but they are also listed
 *       because not all object have them.
 */
CK_ATTRIBUTE_TYPE DOMAIN_ATTRS[] =
{
	CKA_PRIME,
	CKA_SUBPRIME,
	CKA_BASE,
	CKA_PRIME_BITS,
	CKA_SUBPRIME_BITS,
	CKA_SUB_PRIME_BITS
};

/*
 * attributes that exists only in hardware feature objects
 *
 */
CK_ATTRIBUTE_TYPE HARDWARE_ATTRS[] =
{
	CKA_HW_FEATURE_TYPE,
	CKA_RESET_ON_INIT,
	CKA_HAS_RESET
};

/*
 * attributes that exists only in certificate objects
 */
CK_ATTRIBUTE_TYPE CERT_ATTRS[] =
{
	CKA_CERTIFICATE_TYPE,
	CKA_TRUSTED,
	CKA_SUBJECT,
	CKA_ID,
	CKA_ISSUER,
	CKA_AC_ISSUER,
	CKA_SERIAL_NUMBER,
	CKA_OWNER,
	CKA_ATTR_TYPES
};


/*
 * Validate the attribute by using binary search algorithm.
 */
CK_RV
soft_lookup_attr(CK_ATTRIBUTE_TYPE type)
{

	size_t lower, middle, upper;

	lower = 0;
	upper = (sizeof (attr_map) / sizeof (CK_ATTRIBUTE_TYPE)) - 1;

	while (lower <= upper) {
		/* Always starts from middle. */
		middle = (lower + upper) / 2;

		if (type > attr_map[middle]) {
			/* Adjust the lower bound to upper half. */
			lower = middle + 1;
			continue;
		}

		if (type == attr_map[middle]) {
			/* Found it. */
			return (CKR_OK);
		}

		if (type < attr_map[middle]) {
			/* Adjust the upper bound to lower half. */
			upper = middle - 1;
			continue;
		}
	}

	/* Failed to find the matching attribute from the attribute table. */
	return (CKR_ATTRIBUTE_TYPE_INVALID);
}


/*
 * Validate the attribute by using the following search algorithm:
 *
 * 1) Search for the most frequently used attributes first.
 * 2) If not found, search for the usage-purpose attributes - these
 *    attributes have dense set of values, therefore compiler will
 *    optimize it with a branch table and branch to the appropriate
 *    case.
 * 3) If still not found, use binary search for the rest of the
 *    attributes in the attr_map[] table.
 */
CK_RV
soft_validate_attr(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
    CK_OBJECT_CLASS *class)
{

	CK_ULONG i;
	CK_RV rv = CKR_OK;

	for (i = 0; i < ulAttrNum; i++) {
		/* First tier search */
		switch (template[i].type) {
		case CKA_CLASS:
			*class = *((CK_OBJECT_CLASS*)template[i].pValue);
			break;
		case CKA_TOKEN:
			break;
		case CKA_KEY_TYPE:
			break;
		case CKA_VALUE:
			break;
		case CKA_VALUE_LEN:
			break;
		case CKA_VALUE_BITS:
			break;
		default:
			/* Second tier search */
			switch (template[i].type) {
			case CKA_ENCRYPT:
				break;
			case CKA_DECRYPT:
				break;
			case CKA_WRAP:
				break;
			case CKA_UNWRAP:
				break;
			case CKA_SIGN:
				break;
			case CKA_SIGN_RECOVER:
				break;
			case CKA_VERIFY:
				break;
			case CKA_VERIFY_RECOVER:
				break;
			case CKA_DERIVE:
				break;
			default:
				/* Third tier search */
				rv = soft_lookup_attr(template[i].type);
				if (rv != CKR_OK)
					return (rv);
				break;
			}
			break;
		}
	}
	return (rv);
}

static void
cleanup_cert_attr(cert_attr_t *attr)
{
	if (attr != NULL) {
		freezero(attr->value, attr->length);
		attr->value = NULL;
		attr->length = 0;
	}
}

static CK_RV
copy_cert_attr(cert_attr_t *src_attr, cert_attr_t **dest_attr)
{
	CK_RV rv = CKR_OK;

	if (src_attr == NULL || dest_attr == NULL)
		return (CKR_HOST_MEMORY);

	if (src_attr->value == NULL)
		return (CKR_HOST_MEMORY);

	/* free memory if its already allocated */
	if (*dest_attr != NULL) {
		cleanup_cert_attr(*dest_attr);
	} else {
		*dest_attr = malloc(sizeof (cert_attr_t));
		if (*dest_attr == NULL)
			return (CKR_HOST_MEMORY);
	}

	(*dest_attr)->value = NULL;
	(*dest_attr)->length = 0;

	if (src_attr->length) {
		(*dest_attr)->value = malloc(src_attr->length);
		if ((*dest_attr)->value == NULL) {
			free(*dest_attr);
			return (CKR_HOST_MEMORY);
		}

		(void) memcpy((*dest_attr)->value, src_attr->value,
		    src_attr->length);
		(*dest_attr)->length = src_attr->length;
	}

	return (rv);
}

void
soft_cleanup_cert_object(soft_object_t *object_p)
{
	CK_CERTIFICATE_TYPE certtype = object_p->cert_type;

	if (object_p->class != CKO_CERTIFICATE ||
	    OBJ_CERT(object_p) == NULL)
		return;

	if (certtype == CKC_X_509) {
		if (X509_CERT_SUBJECT(object_p) != NULL) {
			cleanup_cert_attr(X509_CERT_SUBJECT(object_p));
			free(X509_CERT_SUBJECT(object_p));
			X509_CERT_SUBJECT(object_p) = NULL;
		}
		if (X509_CERT_VALUE(object_p) != NULL) {
			cleanup_cert_attr(X509_CERT_VALUE(object_p));
			free(X509_CERT_VALUE(object_p));
			X509_CERT_VALUE(object_p) = NULL;
		}
		free(OBJ_CERT(object_p));
	} else if (certtype == CKC_X_509_ATTR_CERT) {
		if (X509_ATTR_CERT_VALUE(object_p) != NULL) {
			cleanup_cert_attr(X509_ATTR_CERT_VALUE(object_p));
			free(X509_ATTR_CERT_VALUE(object_p));
			X509_ATTR_CERT_VALUE(object_p) = NULL;
		}
		if (X509_ATTR_CERT_OWNER(object_p) != NULL) {
			cleanup_cert_attr(X509_ATTR_CERT_OWNER(object_p));
			free(X509_ATTR_CERT_OWNER(object_p));
			X509_ATTR_CERT_OWNER(object_p) = NULL;
		}
		free(OBJ_CERT(object_p));
	}
}

/*
 * Clean up and release all the storage in the extra attribute list
 * of an object.
 */
void
soft_cleanup_extra_attr(soft_object_t *object_p)
{

	CK_ATTRIBUTE_INFO_PTR extra_attr;
	CK_ATTRIBUTE_INFO_PTR tmp;

	extra_attr = object_p->extra_attrlistp;
	while (extra_attr) {
		tmp = extra_attr->next;
		if (extra_attr->attr.pValue != NULL) {
			/*
			 * All extra attributes in the extra attribute
			 * list have pValue points to the value of the
			 * attribute (with simple byte array type).
			 * Free the storage for the value of the attribute.
			 */
			freezero(extra_attr->attr.pValue,
			    extra_attr->attr.ulValueLen);
		}

		/* Free the storage for the attribute_info struct. */
		free(extra_attr);
		extra_attr = tmp;
	}

	object_p->extra_attrlistp = NULL;
}


/*
 * Create the attribute_info struct to hold the object's attribute,
 * and add it to the extra attribute list of an object.
 */
CK_RV
soft_add_extra_attr(CK_ATTRIBUTE_PTR template, soft_object_t *object_p)
{

	CK_ATTRIBUTE_INFO_PTR attrp;

	/* Allocate the storage for the attribute_info struct. */
	attrp = calloc(1, sizeof (attribute_info_t));
	if (attrp == NULL) {
		return (CKR_HOST_MEMORY);
	}

	/* Set up attribute_info struct. */
	attrp->attr.type = template->type;
	attrp->attr.ulValueLen = template->ulValueLen;

	if ((template->pValue != NULL) &&
	    (template->ulValueLen > 0)) {
		/* Allocate storage for the value of the attribute. */
		attrp->attr.pValue = malloc(template->ulValueLen);
		if (attrp->attr.pValue == NULL) {
			free(attrp);
			return (CKR_HOST_MEMORY);
		}

		(void) memcpy(attrp->attr.pValue, template->pValue,
		    template->ulValueLen);
	} else {
		attrp->attr.pValue = NULL;
	}

	/* Insert the new attribute in front of extra attribute list. */
	if (object_p->extra_attrlistp == NULL) {
		object_p->extra_attrlistp = attrp;
		attrp->next = NULL;
	} else {
		attrp->next = object_p->extra_attrlistp;
		object_p->extra_attrlistp = attrp;
	}

	return (CKR_OK);
}

CK_RV
soft_copy_certificate(certificate_obj_t *oldcert, certificate_obj_t **newcert,
    CK_CERTIFICATE_TYPE type)
{
	CK_RV rv = CKR_OK;
	certificate_obj_t	*cert;
	x509_cert_t		x509;
	x509_attr_cert_t	x509_attr;

	cert = calloc(1, sizeof (certificate_obj_t));
	if (cert == NULL) {
		return (CKR_HOST_MEMORY);
	}

	if (type == CKC_X_509) {
		x509 = oldcert->cert_type_u.x509;
		if (x509.subject)
			if ((rv = copy_cert_attr(x509.subject,
			    &cert->cert_type_u.x509.subject)))
				return (rv);
		if (x509.value)
			if ((rv = copy_cert_attr(x509.value,
			    &cert->cert_type_u.x509.value)))
				return (rv);
	} else if (type == CKC_X_509_ATTR_CERT) {
		x509_attr = oldcert->cert_type_u.x509_attr;
		if (x509_attr.owner)
			if ((rv = copy_cert_attr(x509_attr.owner,
			    &cert->cert_type_u.x509_attr.owner)))
				return (rv);
		if (x509_attr.value)
			if ((rv = copy_cert_attr(x509_attr.value,
			    &cert->cert_type_u.x509_attr.value)))
				return (rv);
	} else {
		/* wrong certificate type */
		rv = CKR_ATTRIBUTE_TYPE_INVALID;
	}
	if (rv == CKR_OK)
		*newcert = cert;
	return (rv);
}

/*
 * Copy the attribute_info struct from the old object to a new attribute_info
 * struct, and add that new struct to the extra attribute list of the new
 * object.
 */
CK_RV
soft_copy_extra_attr(CK_ATTRIBUTE_INFO_PTR old_attrp, soft_object_t *object_p)
{
	CK_ATTRIBUTE_INFO_PTR attrp;

	/* Allocate attribute_info struct. */
	attrp = calloc(1, sizeof (attribute_info_t));
	if (attrp == NULL) {
		return (CKR_HOST_MEMORY);
	}

	attrp->attr.type = old_attrp->attr.type;
	attrp->attr.ulValueLen = old_attrp->attr.ulValueLen;

	if ((old_attrp->attr.pValue != NULL) &&
	    (old_attrp->attr.ulValueLen > 0)) {
		attrp->attr.pValue = malloc(old_attrp->attr.ulValueLen);
		if (attrp->attr.pValue == NULL) {
			free(attrp);
			return (CKR_HOST_MEMORY);
		}

		(void) memcpy(attrp->attr.pValue, old_attrp->attr.pValue,
		    old_attrp->attr.ulValueLen);
	} else {
		attrp->attr.pValue = NULL;
	}

	/* Insert the new attribute in front of extra attribute list */
	if (object_p->extra_attrlistp == NULL) {
		object_p->extra_attrlistp = attrp;
		attrp->next = NULL;
	} else {
		attrp->next = object_p->extra_attrlistp;
		object_p->extra_attrlistp = attrp;
	}

	return (CKR_OK);
}


/*
 * Get the attribute triple from the extra attribute list in the object
 * (if the specified attribute type is found), and copy it to a template.
 * Note the type of the attribute to be copied is specified by the template,
 * and the storage is pre-allocated for the atrribute value in the template
 * for doing the copy.
 */
CK_RV
get_extra_attr_from_object(soft_object_t *object_p, CK_ATTRIBUTE_PTR template)
{

	CK_ATTRIBUTE_INFO_PTR extra_attr;
	CK_ATTRIBUTE_TYPE type = template->type;

	extra_attr = object_p->extra_attrlistp;

	while (extra_attr) {
		if (type == extra_attr->attr.type) {
			/* Found it. */
			break;
		} else {
			/* Does not match, try next one. */
			extra_attr = extra_attr->next;
		}
	}

	if (extra_attr == NULL) {
		/* A valid but un-initialized attribute. */
		template->ulValueLen = 0;
		return (CKR_OK);
	}

	/*
	 * We found the attribute in the extra attribute list.
	 */
	if (template->pValue == NULL) {
		template->ulValueLen = extra_attr->attr.ulValueLen;
		return (CKR_OK);
	}

	if (template->ulValueLen >= extra_attr->attr.ulValueLen) {
		/*
		 * The buffer provided by the application is large
		 * enough to hold the value of the attribute.
		 */
		(void) memcpy(template->pValue, extra_attr->attr.pValue,
		    extra_attr->attr.ulValueLen);
		template->ulValueLen = extra_attr->attr.ulValueLen;
		return (CKR_OK);
	} else {
		/*
		 * The buffer provided by the application does
		 * not have enough space to hold the value.
		 */
		template->ulValueLen = (CK_ULONG)-1;
		return (CKR_BUFFER_TOO_SMALL);
	}
}


/*
 * Modify the attribute triple in the extra attribute list of the object
 * if the specified attribute type is found. Otherwise, just add it to
 * list.
 */
CK_RV
set_extra_attr_to_object(soft_object_t *object_p, CK_ATTRIBUTE_TYPE type,
    CK_ATTRIBUTE_PTR template)
{

	CK_ATTRIBUTE_INFO_PTR extra_attr;

	extra_attr = object_p->extra_attrlistp;

	while (extra_attr) {
		if (type == extra_attr->attr.type) {
			/* Found it. */
			break;
		} else {
			/* Does not match, try next one. */
			extra_attr = extra_attr->next;
		}
	}

	if (extra_attr == NULL) {
		/*
		 * This attribute is a new one, go ahead adding it to
		 * the extra attribute list.
		 */
		return (soft_add_extra_attr(template, object_p));
	}

	/* We found the attribute in the extra attribute list. */
	if ((template->pValue != NULL) &&
	    (template->ulValueLen > 0)) {
		if (template->ulValueLen > extra_attr->attr.ulValueLen) {
			/* The old buffer is too small to hold the new value. */
			if (extra_attr->attr.pValue != NULL) {
				/* Free storage for the old attribute value. */
				freezero(extra_attr->attr.pValue,
				    extra_attr->attr.ulValueLen);
			}

			/* Allocate storage for the new attribute value. */
			extra_attr->attr.pValue = malloc(template->ulValueLen);
			if (extra_attr->attr.pValue == NULL) {
				return (CKR_HOST_MEMORY);
			}
		}

		/* Replace the attribute with new value. */
		extra_attr->attr.ulValueLen = template->ulValueLen;
		(void) memcpy(extra_attr->attr.pValue, template->pValue,
		    template->ulValueLen);
	} else {
		extra_attr->attr.pValue = NULL;
	}

	return (CKR_OK);
}


/*
 * Copy the big integer attribute value from template to a biginteger_t struct.
 */
CK_RV
get_bigint_attr_from_template(biginteger_t *big, CK_ATTRIBUTE_PTR template)
{

	if ((template->pValue != NULL) &&
	    (template->ulValueLen > 0)) {
		/* Allocate storage for the value of the attribute. */
		big->big_value = malloc(template->ulValueLen);
		if (big->big_value == NULL) {
			return (CKR_HOST_MEMORY);
		}

		(void) memcpy(big->big_value, template->pValue,
		    template->ulValueLen);
		big->big_value_len = template->ulValueLen;
	} else {
		big->big_value = NULL;
		big->big_value_len = 0;
	}

	return (CKR_OK);
}


/*
 * Copy the big integer attribute value from a biginteger_t struct in the
 * object to a template.
 */
CK_RV
get_bigint_attr_from_object(biginteger_t *big, CK_ATTRIBUTE_PTR template)
{

	if (template->pValue == NULL) {
		template->ulValueLen = big->big_value_len;
		return (CKR_OK);
	}

	if (big->big_value == NULL) {
		template->ulValueLen = 0;
		return (CKR_OK);
	}

	if (template->ulValueLen >= big->big_value_len) {
		/*
		 * The buffer provided by the application is large
		 * enough to hold the value of the attribute.
		 */
		(void) memcpy(template->pValue, big->big_value,
		    big->big_value_len);
		template->ulValueLen = big->big_value_len;
		return (CKR_OK);
	} else {
		/*
		 * The buffer provided by the application does
		 * not have enough space to hold the value.
		 */
		template->ulValueLen = (CK_ULONG)-1;
		return (CKR_BUFFER_TOO_SMALL);
	}
}


/*
 * Copy the boolean data type attribute value from an object for the
 * specified attribute to the template.
 */
CK_RV
get_bool_attr_from_object(soft_object_t *object_p, CK_ULONG bool_flag,
    CK_ATTRIBUTE_PTR template)
{

	if (template->pValue == NULL) {
		template->ulValueLen = sizeof (CK_BBOOL);
		return (CKR_OK);
	}

	if (template->ulValueLen >= sizeof (CK_BBOOL)) {
		/*
		 * The buffer provided by the application is large
		 * enough to hold the value of the attribute.
		 */
		if (object_p->bool_attr_mask & bool_flag) {
			*((CK_BBOOL *)template->pValue) = B_TRUE;
		} else {
			*((CK_BBOOL *)template->pValue) = B_FALSE;
		}

		template->ulValueLen = sizeof (CK_BBOOL);
		return (CKR_OK);
	} else {
		/*
		 * The buffer provided by the application does
		 * not have enough space to hold the value.
		 */
		template->ulValueLen = (CK_ULONG)-1;
		return (CKR_BUFFER_TOO_SMALL);
	}
}

/*
 * Set the boolean data type attribute value in the object.
 */
CK_RV
set_bool_attr_to_object(soft_object_t *object_p, CK_ULONG bool_flag,
    CK_ATTRIBUTE_PTR template)
{

	if (*(CK_BBOOL *)template->pValue)
		object_p->bool_attr_mask |= bool_flag;
	else
		object_p->bool_attr_mask &= ~bool_flag;

	return (CKR_OK);
}


/*
 * Copy the CK_ULONG data type attribute value from an object to the
 * template.
 */
CK_RV
get_ulong_attr_from_object(CK_ULONG value, CK_ATTRIBUTE_PTR template)
{

	if (template->pValue == NULL) {
		template->ulValueLen = sizeof (CK_ULONG);
		return (CKR_OK);
	}

	if (template->ulValueLen >= sizeof (CK_ULONG)) {
		/*
		 * The buffer provided by the application is large
		 * enough to hold the value of the attribute.
		 * It is also assumed to be correctly aligned.
		 */
		*(CK_ULONG_PTR)template->pValue = value;
		template->ulValueLen = sizeof (CK_ULONG);
		return (CKR_OK);
	} else {
		/*
		 * The buffer provided by the application does
		 * not have enough space to hold the value.
		 */
		template->ulValueLen = (CK_ULONG)-1;
		return (CKR_BUFFER_TOO_SMALL);
	}
}


/*
 * Copy the CK_ULONG data type attribute value from a template to the
 * object.
 */
static CK_RV
get_ulong_attr_from_template(CK_ULONG *value, CK_ATTRIBUTE_PTR template)
{

	if (template->ulValueLen < sizeof (CK_ULONG))
		return (CKR_ATTRIBUTE_VALUE_INVALID);

	if (template->pValue != NULL) {
		*value = *(CK_ULONG_PTR)template->pValue;
	} else {
		*value = 0;
	}

	return (CKR_OK);
}

/*
 * Copy the big integer attribute value from source's biginteger_t to
 * destination's biginteger_t.
 */
void
copy_bigint_attr(biginteger_t *src, biginteger_t *dst)
{

	if ((src->big_value != NULL) &&
	    (src->big_value_len > 0)) {
		/*
		 * To do the copy, just have dst's big_value points
		 * to src's.
		 */
		dst->big_value = src->big_value;
		dst->big_value_len = src->big_value_len;

		/*
		 * After the copy, nullify the src's big_value pointer.
		 * It prevents any double freeing the value.
		 */
		src->big_value = NULL;
		src->big_value_len = 0;
	} else {
		dst->big_value = NULL;
		dst->big_value_len = 0;
	}
}

CK_RV
get_string_from_template(CK_ATTRIBUTE_PTR dest, CK_ATTRIBUTE_PTR src)
{
	if ((src->pValue != NULL) &&
	    (src->ulValueLen > 0)) {
		/* Allocate storage for the value of the attribute. */
		dest->pValue = malloc(src->ulValueLen);
		if (dest->pValue == NULL) {
			return (CKR_HOST_MEMORY);
		}

		(void) memcpy(dest->pValue, src->pValue,
		    src->ulValueLen);
		dest->ulValueLen = src->ulValueLen;
		dest->type = src->type;
	} else {
		dest->pValue = NULL;
		dest->ulValueLen = 0;
		dest->type = src->type;
	}

	return (CKR_OK);

}

CK_RV
get_cert_attr_from_template(cert_attr_t **dest, CK_ATTRIBUTE_PTR src)
{
	if (src->pValue != NULL && src->ulValueLen > 0) {
		/*
		 * If the attribute was already set, clear out the
		 * existing value and release the memory.
		 */
		if (*dest != NULL) {
			cleanup_cert_attr(*dest);
		} else {
			*dest = malloc(sizeof (cert_attr_t));
			if (*dest == NULL) {
				return (CKR_HOST_MEMORY);
			}
			(void) memset(*dest, 0, sizeof (cert_attr_t));
		}
		(*dest)->value = malloc(src->ulValueLen);
		if ((*dest)->value == NULL) {
			free(*dest);
			*dest = NULL;
			return (CKR_HOST_MEMORY);
		}
		(void) memcpy((*dest)->value, src->pValue, src->ulValueLen);
		(*dest)->length = src->ulValueLen;
	}

	return (CKR_OK);
}

/*
 * Copy the certificate attribute information to the template.
 * If the template attribute is not big enough, set the ulValueLen=-1
 * and return CKR_BUFFER_TOO_SMALL.
 */
static CK_RV
get_cert_attr_from_object(cert_attr_t *src, CK_ATTRIBUTE_PTR template)
{
	if (template->pValue == NULL) {
		template->ulValueLen = src->length;
		return (CKR_OK);
	} else if (template->ulValueLen >= src->length) {
		/*
		 * The buffer provided by the application is large
		 * enough to hold the value of the attribute.
		 */
		(void) memcpy(template->pValue, src->value, src->length);
		template->ulValueLen = src->length;
		return (CKR_OK);
	} else {
		/*
		 * The buffer provided by the application does
		 * not have enough space to hold the value.
		 */
		template->ulValueLen = (CK_ULONG)-1;
		return (CKR_BUFFER_TOO_SMALL);
	}
}

void
string_attr_cleanup(CK_ATTRIBUTE_PTR template)
{
	freezero(template->pValue, template->ulValueLen);
	template->pValue = NULL;
	template->ulValueLen = 0;
}

/*
 * Release the storage allocated for object attribute with big integer
 * value.
 */
void
bigint_attr_cleanup(biginteger_t *big)
{

	if (big == NULL)
		return;

	freezero(big->big_value, big->big_value_len);
	big->big_value = NULL;
	big->big_value_len = 0;
}


/*
 * Clean up and release all the storage allocated to hold the big integer
 * attributes associated with the type (i.e. class) of the object. Also,
 * release the storage allocated to the type of the object.
 */
void
soft_cleanup_object_bigint_attrs(soft_object_t *object_p)
{

	CK_OBJECT_CLASS class = object_p->class;
	CK_KEY_TYPE	keytype = object_p->key_type;


	switch (class) {
	case CKO_PUBLIC_KEY:
		if (OBJ_PUB(object_p)) {
			switch (keytype) {
			case CKK_RSA:
				bigint_attr_cleanup(OBJ_PUB_RSA_MOD(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_RSA_PUBEXPO(
				    object_p));
				break;

			case CKK_DSA:
				bigint_attr_cleanup(OBJ_PUB_DSA_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_DSA_SUBPRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_DSA_BASE(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_DSA_VALUE(
				    object_p));
				break;

			case CKK_DH:
				bigint_attr_cleanup(OBJ_PUB_DH_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_DH_BASE(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_DH_VALUE(
				    object_p));
				break;

			case CKK_X9_42_DH:
				bigint_attr_cleanup(OBJ_PUB_DH942_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_DH942_BASE(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_DH942_SUBPRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PUB_DH942_VALUE(
				    object_p));
				break;
			case CKK_EC:
				bigint_attr_cleanup(OBJ_PUB_EC_POINT(
				    object_p));
				break;
			}

			/* Release Public Key Object struct */
			free(OBJ_PUB(object_p));
			OBJ_PUB(object_p) = NULL;
		}
		break;

	case CKO_PRIVATE_KEY:
		if (OBJ_PRI(object_p)) {
			switch (keytype) {
			case CKK_RSA:
				bigint_attr_cleanup(OBJ_PRI_RSA_MOD(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_RSA_PUBEXPO(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_RSA_PRIEXPO(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_RSA_PRIME1(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_RSA_PRIME2(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_RSA_EXPO1(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_RSA_EXPO2(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_RSA_COEF(
				    object_p));
				break;

			case CKK_DSA:
				bigint_attr_cleanup(OBJ_PRI_DSA_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_DSA_SUBPRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_DSA_BASE(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_DSA_VALUE(
				    object_p));
				break;

			case CKK_DH:
				bigint_attr_cleanup(OBJ_PRI_DH_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_DH_BASE(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_DH_VALUE(
				    object_p));
				break;

			case CKK_X9_42_DH:
				bigint_attr_cleanup(OBJ_PRI_DH942_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_DH942_BASE(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_DH942_SUBPRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_PRI_DH942_VALUE(
				    object_p));
				break;

			case CKK_EC:
				bigint_attr_cleanup(OBJ_PRI_EC_VALUE(
				    object_p));
				break;
			}

			/* Release Private Key Object struct. */
			free(OBJ_PRI(object_p));
			OBJ_PRI(object_p) = NULL;
		}
		break;

	case CKO_SECRET_KEY:
		if (OBJ_SEC(object_p)) {
			/* cleanup key data area */
			if (OBJ_SEC_VALUE(object_p) != NULL &&
			    OBJ_SEC_VALUE_LEN(object_p) > 0) {
				freezero(OBJ_SEC_VALUE(object_p),
				    OBJ_SEC_VALUE_LEN(object_p));
			}
			/* cleanup key schedule data area */
			if (OBJ_KEY_SCHED(object_p) != NULL &&
			    OBJ_KEY_SCHED_LEN(object_p) > 0) {
				freezero(OBJ_KEY_SCHED(object_p),
				    OBJ_KEY_SCHED_LEN(object_p));
			}

			/* Release Secret Key Object struct. */
			free(OBJ_SEC(object_p));
			OBJ_SEC(object_p) = NULL;
		}
		break;

	case CKO_DOMAIN_PARAMETERS:
		if (OBJ_DOM(object_p)) {
			switch (keytype) {
			case CKK_DSA:
				bigint_attr_cleanup(OBJ_DOM_DSA_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_DOM_DSA_SUBPRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_DOM_DSA_BASE(
				    object_p));
				break;

			case CKK_DH:
				bigint_attr_cleanup(OBJ_DOM_DH_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_DOM_DH_BASE(
				    object_p));
				break;

			case CKK_X9_42_DH:
				bigint_attr_cleanup(OBJ_DOM_DH942_PRIME(
				    object_p));
				bigint_attr_cleanup(OBJ_DOM_DH942_BASE(
				    object_p));
				bigint_attr_cleanup(OBJ_DOM_DH942_SUBPRIME(
				    object_p));
				break;
			}

			/* Release Domain Parameters Object struct. */
			free(OBJ_DOM(object_p));
			OBJ_DOM(object_p) = NULL;
		}
		break;
	}
}


/*
 * Parse the common attributes. Return to caller with appropriate return
 * value to indicate if the supplied template specifies a valid attribute
 * with a valid value.
 */
CK_RV
soft_parse_common_attrs(CK_ATTRIBUTE_PTR template, uchar_t *object_type)
{

	CK_RV rv = CKR_OK;

	switch (template->type) {
	case CKA_CLASS:
		break;

	/* default boolean attributes */
	case CKA_TOKEN:
		if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
			if (!soft_keystore_status(KEYSTORE_INITIALIZED))
				return (CKR_DEVICE_REMOVED);
			*object_type |= TOKEN_OBJECT;
		}
		break;

	case CKA_PRIVATE:
		if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
			(void) pthread_mutex_lock(&soft_giant_mutex);
			if (!soft_slot.authenticated) {
				/*
				 * Check if this is the special case when
				 * the PIN is never initialized in the keystore.
				 * If true, we will let it pass here and let
				 * it fail with CKR_PIN_EXPIRED later on.
				 */
				if (!soft_slot.userpin_change_needed) {
					(void) pthread_mutex_unlock(
					    &soft_giant_mutex);
					return (CKR_USER_NOT_LOGGED_IN);
				}
			}
			(void) pthread_mutex_unlock(&soft_giant_mutex);
			*object_type |= PRIVATE_OBJECT;
		}
		break;

	case CKA_LABEL:
		break;

	default:
		rv = CKR_TEMPLATE_INCONSISTENT;
	}

	return (rv);
}


/*
 * Build a Public Key Object.
 *
 * - Parse the object's template, and when an error is detected such as
 *   invalid attribute type, invalid attribute value, etc., return
 *   with appropriate return value.
 * - Set up attribute mask field in the object for the supplied common
 *   attributes that have boolean type.
 * - Build the attribute_info struct to hold the value of each supplied
 *   attribute that has byte array type. Link attribute_info structs
 *   together to form the extra attribute list of the object.
 * - Allocate storage for the Public Key object.
 * - Build the Public Key object according to the key type. Allocate
 *   storage to hold the big integer value for the supplied attributes
 *   that are required for a certain key type.
 *
 */
CK_RV
soft_build_public_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
    soft_object_t *new_object, CK_ULONG mode, CK_KEY_TYPE key_type)
{

	ulong_t		i;
	CK_KEY_TYPE	keytype = (CK_KEY_TYPE)~0UL;
	uint64_t	attr_mask = PUBLIC_KEY_DEFAULT;
	CK_RV		rv = CKR_OK;
	int		isLabel = 0;
	/* Must set flags */
	int		isModulus = 0;
	int		isPubExpo = 0;
	int		isPrime = 0;
	int		isSubprime = 0;
	int		isBase = 0;
	int		isValue = 0;
	int		isECParam = 0;
	int		isECPoint = 0;
	/* Must not set flags */
	int		isModulusBits = 0;
	CK_ULONG	modulus_bits = 0;

	biginteger_t	modulus;
	biginteger_t	pubexpo;
	biginteger_t	prime;
	biginteger_t	subprime;
	biginteger_t	base;
	biginteger_t	value;
	biginteger_t	point;
	CK_ATTRIBUTE	string_tmp;
	CK_ATTRIBUTE	param_tmp;

	public_key_obj_t  *pbk;
	uchar_t	object_type = 0;

	CK_ATTRIBUTE	defpubexpo = { CKA_PUBLIC_EXPONENT,
	    (CK_BYTE_PTR)DEFAULT_PUB_EXPO, DEFAULT_PUB_EXPO_Len };

	BIGNUM		n;

	/* prevent bigint_attr_cleanup from freeing invalid attr value */
	(void) memset(&modulus, 0x0, sizeof (biginteger_t));
	(void) memset(&pubexpo, 0x0, sizeof (biginteger_t));
	(void) memset(&prime, 0x0, sizeof (biginteger_t));
	(void) memset(&subprime, 0x0, sizeof (biginteger_t));
	(void) memset(&base, 0x0, sizeof (biginteger_t));
	(void) memset(&value, 0x0, sizeof (biginteger_t));
	(void) memset(&point, 0x0, sizeof (biginteger_t));
	string_tmp.pValue = NULL;
	param_tmp.pValue = NULL;

	for (i = 0; i < ulAttrNum; i++) {

		/* Public Key Object Attributes */
		switch (template[i].type) {

		/* common key attributes */
		case CKA_KEY_TYPE:
			keytype = *((CK_KEY_TYPE*)template[i].pValue);
			break;

		case CKA_ID:
		case CKA_START_DATE:
		case CKA_END_DATE:

		/* common public key attribute */
		case CKA_SUBJECT:
			/*
			 * Allocate storage to hold the attribute
			 * value with byte array type, and add it to
			 * the extra attribute list of the object.
			 */
			rv = soft_add_extra_attr(&template[i],
			    new_object);
			if (rv != CKR_OK) {
				goto fail_cleanup;
			}
			break;

		/*
		 * The following key related attribute types must
		 * not be specified by C_CreateObject, C_GenerateKey(Pair).
		 */
		case CKA_LOCAL:
		case CKA_KEY_GEN_MECHANISM:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;

		/* Key related boolean attributes */
		case CKA_DERIVE:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= DERIVE_BOOL_ON;
			break;

		case CKA_ENCRYPT:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= ENCRYPT_BOOL_ON;
			else
				attr_mask &= ~ENCRYPT_BOOL_ON;
			break;

		case CKA_VERIFY:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= VERIFY_BOOL_ON;
			else
				attr_mask &= ~VERIFY_BOOL_ON;
			break;

		case CKA_VERIFY_RECOVER:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= VERIFY_RECOVER_BOOL_ON;
			else
				attr_mask &= ~VERIFY_RECOVER_BOOL_ON;
			break;

		case CKA_WRAP:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= WRAP_BOOL_ON;
			else
				attr_mask &= ~WRAP_BOOL_ON;
			break;

		case CKA_TRUSTED:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= TRUSTED_BOOL_ON;
			break;

		case CKA_MODIFIABLE:
			if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE)
				attr_mask |= NOT_MODIFIABLE_BOOL_ON;
			break;

		/*
		 * The following key related attribute types must
		 * be specified according to the key type by
		 * C_CreateObject.
		 */
		case CKA_MODULUS:

			isModulus = 1;
			/*
			 * Copyin big integer attribute from template
			 * to a local variable.
			 */
			rv = get_bigint_attr_from_template(&modulus,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;

			/*
			 * Modulus length needs to be between min key length and
			 * max key length.
			 */
			if ((modulus.big_value_len <
			    MIN_RSA_KEYLENGTH_IN_BYTES) ||
			    (modulus.big_value_len >
			    MAX_RSA_KEYLENGTH_IN_BYTES)) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKA_PUBLIC_EXPONENT:
			isPubExpo = 1;
			rv = get_bigint_attr_from_template(&pubexpo,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_PRIME:
			isPrime = 1;
			rv = get_bigint_attr_from_template(&prime,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_SUBPRIME:
			isSubprime = 1;
			rv = get_bigint_attr_from_template(&subprime,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_BASE:
			isBase = 1;
			rv = get_bigint_attr_from_template(&base,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_VALUE:
			isValue = 1;
			if (mode == SOFT_CREATE_OBJ) {
				if ((template[i].ulValueLen == 0) ||
				    (template[i].pValue == NULL)) {
					rv = CKR_ATTRIBUTE_VALUE_INVALID;
					goto fail_cleanup;
				}
			}

			rv = get_bigint_attr_from_template(&value,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_MODULUS_BITS:
			isModulusBits = 1;
			rv = get_ulong_attr_from_template(&modulus_bits,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_LABEL:
			isLabel = 1;
			rv = get_string_from_template(&string_tmp,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_EC_PARAMS:
			isECParam = 1;
			rv = get_string_from_template(&param_tmp, &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_EC_POINT:
			isECPoint = 1;
			rv = get_bigint_attr_from_template(&point,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		default:
			rv = soft_parse_common_attrs(&template[i],
			    &object_type);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;
		}
	} /* For */

	/* Allocate storage for Public Key Object. */
	pbk = calloc(1, sizeof (public_key_obj_t));
	if (pbk == NULL) {
		rv = CKR_HOST_MEMORY;
		goto fail_cleanup;
	}

	new_object->object_class_u.public_key = pbk;
	new_object->class = CKO_PUBLIC_KEY;

	if ((mode == SOFT_CREATE_OBJ) && (keytype == (CK_KEY_TYPE)~0UL)) {
		rv = CKR_TEMPLATE_INCOMPLETE;
		goto fail_cleanup;
	}

	if ((mode == SOFT_GEN_KEY) && (keytype == (CK_KEY_TYPE)~0UL)) {
		keytype = key_type;
	}

	if ((mode == SOFT_GEN_KEY) && (keytype != key_type)) {
		/*
		 * The key type specified in the template does not
		 * match the implied key type based on the mechanism.
		 */
		rv = CKR_TEMPLATE_INCONSISTENT;
		goto fail_cleanup;
	}

	new_object->key_type = keytype;

	/* Supported key types of the Public Key Object */
	switch (keytype) {

	case CKK_RSA:
		if (mode == SOFT_CREATE_OBJ) {
			if (isModulusBits || isPrime || isSubprime ||
			    isBase || isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}

			if (isModulus && isPubExpo) {
				/*
				 * Derive modulus_bits attribute from modulus.
				 * Save modulus_bits integer value to the
				 * designated place in the public key object.
				 */
				n.malloced = 0;
#ifdef  __sparcv9
				if (big_init(&n, (int)CHARLEN2BIGNUMLEN(
				    modulus.big_value_len)) != BIG_OK) {
#else   /* !__sparcv9 */
				if (big_init(&n, CHARLEN2BIGNUMLEN(
				    modulus.big_value_len)) != BIG_OK) {
#endif  /* __sparcv9 */
					rv = CKR_HOST_MEMORY;
					big_finish(&n);
					goto fail_cleanup;
				}
				bytestring2bignum(&n, modulus.big_value,
				    modulus.big_value_len);

				modulus_bits = big_bitlength(&n);
				KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits;
				big_finish(&n);

				/*
				 * After modulus_bits has been computed,
				 * it is safe to move modulus and pubexpo
				 * big integer attribute value to the
				 * designated place in the public key object.
				 */
				copy_bigint_attr(&modulus,
				    KEY_PUB_RSA_MOD(pbk));

				copy_bigint_attr(&pubexpo,
				    KEY_PUB_RSA_PUBEXPO(pbk));
			} else {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		} else {
			/* mode is SOFT_GEN_KEY */

			if (isModulus || isPrime || isSubprime ||
			    isBase || isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}


			if (isModulusBits) {
				/*
				 * Copy big integer attribute value to the
				 * designated place in the public key object.
				 */
				KEY_PUB_RSA_MOD_BITS(pbk) = modulus_bits;
			} else {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}

			/*
			 * Use PKCS#11 default 0x010001 for public exponent
			 * if not not specified in attribute template.
			 */
			if (!isPubExpo) {
				isPubExpo = 1;
				rv = get_bigint_attr_from_template(&pubexpo,
				    &defpubexpo);
				if (rv != CKR_OK)
					goto fail_cleanup;
			}
			/*
			 * Copy big integer attribute value to the
			 * designated place in the public key object.
			 */
			copy_bigint_attr(&pubexpo, KEY_PUB_RSA_PUBEXPO(pbk));
		}

		break;

	case CKK_DSA:
		if (mode == SOFT_CREATE_OBJ) {
			if (isModulusBits || isModulus || isPubExpo) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}

			if (isPrime && isSubprime && isBase && isValue) {
				copy_bigint_attr(&value,
				    KEY_PUB_DSA_VALUE(pbk));
			} else {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		} else {
			if (isModulusBits || isModulus || isPubExpo ||
			    isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}

			if (!(isPrime && isSubprime && isBase)) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		}

		copy_bigint_attr(&prime, KEY_PUB_DSA_PRIME(pbk));

		copy_bigint_attr(&subprime, KEY_PUB_DSA_SUBPRIME(pbk));

		copy_bigint_attr(&base, KEY_PUB_DSA_BASE(pbk));

		break;

	case CKK_DH:
		if (mode == SOFT_CREATE_OBJ) {
			if (isModulusBits || isModulus || isPubExpo ||
			    isSubprime) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}

			if (isPrime && isBase && isValue) {
				copy_bigint_attr(&value,
				    KEY_PUB_DH_VALUE(pbk));
			} else {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		} else {
			if (isModulusBits || isModulus || isPubExpo ||
			    isSubprime || isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}

			if (!(isPrime && isBase)) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		}

		copy_bigint_attr(&prime, KEY_PUB_DH_PRIME(pbk));

		copy_bigint_attr(&base, KEY_PUB_DH_BASE(pbk));

		break;

	case CKK_X9_42_DH:
		if (mode == SOFT_CREATE_OBJ) {
			if (isModulusBits || isModulus || isPubExpo) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}

			if (isPrime && isSubprime && isBase && isValue) {
				copy_bigint_attr(&value,
				    KEY_PUB_DH942_VALUE(pbk));
			} else {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		} else {
			if (isModulusBits || isModulus || isPubExpo ||
			    isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}

			if (!(isPrime && isSubprime && isBase)) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		}

		copy_bigint_attr(&prime, KEY_PUB_DH942_PRIME(pbk));

		copy_bigint_attr(&base, KEY_PUB_DH942_BASE(pbk));

		copy_bigint_attr(&subprime, KEY_PUB_DH942_SUBPRIME(pbk));

		break;

	case CKK_EC:
		if (mode == SOFT_CREATE_OBJ) {
			if (isModulusBits || isModulus || isPubExpo ||
			    isPrime || isSubprime || isBase || isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;

			} else if (!isECParam || !isECPoint) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		} else {
			if (isModulusBits || isModulus || isPubExpo ||
			    isPrime || isSubprime || isBase || isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;

			} else if (!isECParam) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
		}

		if (isECPoint) {
			copy_bigint_attr(&point, KEY_PUB_EC_POINT(pbk));
		}
		rv = soft_add_extra_attr(&param_tmp, new_object);
		if (rv != CKR_OK)
			goto fail_cleanup;
		string_attr_cleanup(&param_tmp);
		break;

	default:
		rv = CKR_TEMPLATE_INCONSISTENT;
		goto fail_cleanup;
	}

	/* Set up object. */
	new_object->object_type = object_type;
	new_object->bool_attr_mask = attr_mask;
	if (isLabel) {
		rv = soft_add_extra_attr(&string_tmp, new_object);
		if (rv != CKR_OK)
			goto fail_cleanup;
		string_attr_cleanup(&string_tmp);
	}

	return (rv);

fail_cleanup:
	/*
	 * cleanup the storage allocated to the local variables.
	 */
	bigint_attr_cleanup(&modulus);
	bigint_attr_cleanup(&pubexpo);
	bigint_attr_cleanup(&prime);
	bigint_attr_cleanup(&subprime);
	bigint_attr_cleanup(&base);
	bigint_attr_cleanup(&value);
	bigint_attr_cleanup(&point);
	string_attr_cleanup(&string_tmp);
	string_attr_cleanup(&param_tmp);

	/*
	 * cleanup the storage allocated inside the object itself.
	 */
	soft_cleanup_object(new_object);

	return (rv);
}


/*
 * Build a Private Key Object.
 *
 * - Parse the object's template, and when an error is detected such as
 *   invalid attribute type, invalid attribute value, etc., return
 *   with appropriate return value.
 * - Set up attribute mask field in the object for the supplied common
 *   attributes that have boolean type.
 * - Build the attribute_info struct to hold the value of each supplied
 *   attribute that has byte array type. Link attribute_info structs
 *   together to form the extra attribute list of the object.
 * - Allocate storage for the Private Key object.
 * - Build the Private Key object according to the key type. Allocate
 *   storage to hold the big integer value for the supplied attributes
 *   that are required for a certain key type.
 *
 */
CK_RV
soft_build_private_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
    soft_object_t *new_object, CK_ULONG mode, CK_KEY_TYPE key_type)
{
	ulong_t		i;
	CK_KEY_TYPE	keytype = (CK_KEY_TYPE)~0UL;
	uint64_t	attr_mask = PRIVATE_KEY_DEFAULT;
	CK_RV		rv = CKR_OK;
	int		isLabel = 0;
	int		isECParam = 0;
	/* Must set flags unless mode == SOFT_UNWRAP_KEY */
	int		isModulus = 0;
	int		isPriExpo = 0;
	int		isPrime = 0;
	int		isSubprime = 0;
	int		isBase = 0;
	/* Must set flags if mode == SOFT_GEN_KEY */
	int		isValue = 0;
	/* Must not set flags */
	int		isValueBits = 0;
	CK_ULONG	value_bits = 0;

	/* Private Key RSA optional */
	int		isPubExpo = 0;
	int		isPrime1 = 0;
	int		isPrime2 = 0;
	int		isExpo1 = 0;
	int		isExpo2 = 0;
	int		isCoef = 0;

	biginteger_t	modulus;
	biginteger_t	priexpo;
	biginteger_t	prime;
	biginteger_t	subprime;
	biginteger_t	base;
	biginteger_t	value;

	biginteger_t	pubexpo;
	biginteger_t	prime1;
	biginteger_t	prime2;
	biginteger_t	expo1;
	biginteger_t	expo2;
	biginteger_t	coef;
	CK_ATTRIBUTE	string_tmp;
	CK_ATTRIBUTE	param_tmp;
	BIGNUM	x, q;

	private_key_obj_t *pvk;
	uchar_t	object_type = 0;

	/* prevent bigint_attr_cleanup from freeing invalid attr value */
	(void) memset(&modulus, 0x0, sizeof (biginteger_t));
	(void) memset(&priexpo, 0x0, sizeof (biginteger_t));
	(void) memset(&prime, 0x0, sizeof (biginteger_t));
	(void) memset(&subprime, 0x0, sizeof (biginteger_t));
	(void) memset(&base, 0x0, sizeof (biginteger_t));
	(void) memset(&value, 0x0, sizeof (biginteger_t));
	(void) memset(&pubexpo, 0x0, sizeof (biginteger_t));
	(void) memset(&prime1, 0x0, sizeof (biginteger_t));
	(void) memset(&prime2, 0x0, sizeof (biginteger_t));
	(void) memset(&expo1, 0x0, sizeof (biginteger_t));
	(void) memset(&expo2, 0x0, sizeof (biginteger_t));
	(void) memset(&coef, 0x0, sizeof (biginteger_t));
	string_tmp.pValue = NULL;
	param_tmp.pValue = NULL;
	x.malloced = 0;
	q.malloced = 0;

	for (i = 0; i < ulAttrNum; i++) {

		/* Private Key Object Attributes */
		switch (template[i].type) {
		/* common key attributes */
		case CKA_KEY_TYPE:
			keytype = *((CK_KEY_TYPE*)template[i].pValue);
			break;

		case CKA_ID:
		case CKA_START_DATE:
		case CKA_END_DATE:

		/* common private key attribute */
		case CKA_SUBJECT:
			/*
			 * Allocate storage to hold the attribute
			 * value with byte array type, and add it to
			 * the extra attribute list of the object.
			 */
			rv = soft_add_extra_attr(&template[i],
			    new_object);
			if (rv != CKR_OK) {
				goto fail_cleanup;
			}
			break;

		/*
		 * The following key related attribute types must
		 * not be specified by C_CreateObject or C_GenerateKey(Pair).
		 */
		case CKA_LOCAL:
		case CKA_KEY_GEN_MECHANISM:
		case CKA_AUTH_PIN_FLAGS:
		case CKA_ALWAYS_SENSITIVE:
		case CKA_NEVER_EXTRACTABLE:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;

		/* Key related boolean attributes */
		case CKA_DERIVE:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= DERIVE_BOOL_ON;
			break;

		case CKA_SENSITIVE:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= SENSITIVE_BOOL_ON;
			break;

		case CKA_SECONDARY_AUTH:
			if (*(CK_BBOOL *)template[i].pValue) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKA_DECRYPT:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= DECRYPT_BOOL_ON;
			else
				attr_mask &= ~DECRYPT_BOOL_ON;
			break;

		case CKA_SIGN:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= SIGN_BOOL_ON;
			else
				attr_mask &= ~SIGN_BOOL_ON;
			break;

		case CKA_SIGN_RECOVER:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= SIGN_RECOVER_BOOL_ON;
			else
				attr_mask &= ~SIGN_RECOVER_BOOL_ON;
			break;

		case CKA_UNWRAP:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= UNWRAP_BOOL_ON;
			else
				attr_mask &= ~UNWRAP_BOOL_ON;
			break;

		case CKA_EXTRACTABLE:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= EXTRACTABLE_BOOL_ON;
			else
				attr_mask &= ~EXTRACTABLE_BOOL_ON;
			break;

		case CKA_MODIFIABLE:
			if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE)
				attr_mask |= NOT_MODIFIABLE_BOOL_ON;
			break;

		/*
		 * The following key related attribute types must
		 * be specified according to the key type by
		 * C_CreateObject.
		 */
		case CKA_MODULUS:

			isModulus = 1;
			/*
			 * Copyin big integer attribute from template
			 * to a local variable.
			 */
			rv = get_bigint_attr_from_template(&modulus,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;

			/*
			 * Modulus length needs to be between min key length and
			 * max key length.
			 */
			if ((modulus.big_value_len <
			    MIN_RSA_KEYLENGTH_IN_BYTES) ||
			    (modulus.big_value_len >
			    MAX_RSA_KEYLENGTH_IN_BYTES)) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKA_PUBLIC_EXPONENT:

			isPubExpo = 1;
			rv = get_bigint_attr_from_template(&pubexpo,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_PRIVATE_EXPONENT:

			isPriExpo = 1;
			rv = get_bigint_attr_from_template(&priexpo,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_PRIME_1:
			isPrime1 = 1;
			rv = get_bigint_attr_from_template(&prime1,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_PRIME_2:
			isPrime2 = 1;
			rv = get_bigint_attr_from_template(&prime2,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_EXPONENT_1:
			isExpo1 = 1;
			rv = get_bigint_attr_from_template(&expo1,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_EXPONENT_2:
			isExpo2 = 1;
			rv = get_bigint_attr_from_template(&expo2,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_COEFFICIENT:
			isCoef = 1;
			rv = get_bigint_attr_from_template(&coef,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_PRIME:
			isPrime = 1;
			rv = get_bigint_attr_from_template(&prime,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_SUBPRIME:
			isSubprime = 1;
			rv = get_bigint_attr_from_template(&subprime,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_BASE:
			isBase = 1;
			rv = get_bigint_attr_from_template(&base,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_VALUE:
			isValue = 1;
			if (mode == SOFT_CREATE_OBJ) {
				if ((template[i].ulValueLen == 0) ||
				    (template[i].pValue == NULL)) {
					rv = CKR_ATTRIBUTE_VALUE_INVALID;
					goto fail_cleanup;
				}
			}

			rv = get_bigint_attr_from_template(&value,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_VALUE_BITS:
			isValueBits = 1;
			rv = get_ulong_attr_from_template(&value_bits,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_LABEL:
			isLabel = 1;
			rv = get_string_from_template(&string_tmp,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_EC_PARAMS:
			isECParam = 1;
			rv = get_string_from_template(&param_tmp,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		default:
			rv = soft_parse_common_attrs(&template[i],
			    &object_type);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		}
	} /* For */

	/* Allocate storage for Private Key Object. */
	pvk = calloc(1, sizeof (private_key_obj_t));
	if (pvk == NULL) {
		rv = CKR_HOST_MEMORY;
		goto fail_cleanup;
	}

	new_object->object_class_u.private_key = pvk;
	new_object->class = CKO_PRIVATE_KEY;

	if ((mode == SOFT_CREATE_OBJ) && (keytype == (CK_KEY_TYPE)~0UL)) {
		rv = CKR_TEMPLATE_INCOMPLETE;
		goto fail_cleanup;
	}

	if (mode == SOFT_GEN_KEY) {
		/*
		 * The key type is not specified in the application's
		 * template, so we use the implied key type based on
		 * the mechanism.
		 */
		if (keytype == (CK_KEY_TYPE)~0UL) {
			keytype = key_type;
		}

		/* If still unspecified, template is incomplete */
		if (keytype == (CK_KEY_TYPE)~0UL) {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}

		/*
		 * The key type specified in the template does not
		 * match the implied key type based on the mechanism.
		 */
		if (keytype != key_type) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}
	}

	if (mode == SOFT_UNWRAP_KEY) {
		/*
		 * Note that, for mode SOFT_UNWRAP_KEY, key type is not
		 * implied by the mechanism (key_type), so if it is not
		 * specified from the attribute template (keytype), it is
		 * incomplete.
		 */
		if (keytype == (CK_KEY_TYPE)~0UL) {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
	}

	new_object->key_type = keytype;

	/* Supported key types of the Private Key Object */
	switch (keytype) {
	case CKK_RSA:
		if (isPrime || isSubprime || isBase || isValue ||
		    isValueBits) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) {
			if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
			    isPrime2 || isExpo1 || isExpo2 || isCoef) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			} else
				break;
		}

		if (isModulus && isPriExpo) {
			/*
			 * Copy big integer attribute value to the
			 * designated place in the Private Key object.
			 */
			copy_bigint_attr(&modulus, KEY_PRI_RSA_MOD(pvk));

			copy_bigint_attr(&priexpo, KEY_PRI_RSA_PRIEXPO(pvk));
		} else {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}

		/* The following attributes are optional. */
		if (isPubExpo) {
			copy_bigint_attr(&pubexpo, KEY_PRI_RSA_PUBEXPO(pvk));
		}

		if (isPrime1) {
			copy_bigint_attr(&prime1, KEY_PRI_RSA_PRIME1(pvk));
		}

		if (isPrime2) {
			copy_bigint_attr(&prime2, KEY_PRI_RSA_PRIME2(pvk));
		}

		if (isExpo1) {
			copy_bigint_attr(&expo1, KEY_PRI_RSA_EXPO1(pvk));
		}

		if (isExpo2) {
			copy_bigint_attr(&expo2, KEY_PRI_RSA_EXPO2(pvk));
		}

		if (isCoef) {
			copy_bigint_attr(&coef, KEY_PRI_RSA_COEF(pvk));
		}
		break;

	case CKK_DSA:
		if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
		    isPrime2 || isExpo1 || isExpo2 || isCoef ||
		    isValueBits) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) {
			if (isPrime || isSubprime || isBase || isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			} else
				break;
		}

		if (isPrime && isSubprime && isBase && isValue) {
			/*
			 * The private value x must be less than subprime q.
			 * Size for big_init is in BIG_CHUNK_TYPE words.
			 */
#ifdef	__sparcv9
			if (big_init(&x,
			    (int)CHARLEN2BIGNUMLEN(value.big_value_len))
			    != BIG_OK) {
#else	/* !__sparcv9 */
			if (big_init(&x,
			    CHARLEN2BIGNUMLEN(value.big_value_len))
			    != BIG_OK) {
#endif	/* __sparcv9 */
				rv = CKR_HOST_MEMORY;
				goto fail_cleanup;
			}
#ifdef	__sparcv9
			if (big_init(&q,
			    (int)CHARLEN2BIGNUMLEN(subprime.big_value_len))
			    != BIG_OK) {
#else	/* !__sparcv9 */
			if (big_init(&q,
			    CHARLEN2BIGNUMLEN(subprime.big_value_len))
			    != BIG_OK) {
#endif	/* __sparcv9 */
				rv = CKR_HOST_MEMORY;
				goto fail_cleanup;
			}
			bytestring2bignum(&x, value.big_value,
			    value.big_value_len);
			bytestring2bignum(&q, subprime.big_value,
			    subprime.big_value_len);

			if (big_cmp_abs(&x, &q) > 0) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}

			copy_bigint_attr(&prime, KEY_PRI_DSA_PRIME(pvk));

			copy_bigint_attr(&subprime, KEY_PRI_DSA_SUBPRIME(pvk));

			copy_bigint_attr(&base, KEY_PRI_DSA_BASE(pvk));

			copy_bigint_attr(&value, KEY_PRI_DSA_VALUE(pvk));
		} else {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
		break;

	case CKK_DH:
		if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
		    isPrime2 || isExpo1 || isExpo2 || isCoef ||
		    isSubprime) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		/* CKA_VALUE_BITS is for key gen but not unwrap */
		if (mode == SOFT_GEN_KEY)
			KEY_PRI_DH_VAL_BITS(pvk) = (isValueBits) ?
			    value_bits : 0;
		else if (mode == SOFT_UNWRAP_KEY) {
			if (isValueBits) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}
		}

		if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) {
			if (isPrime || isBase || isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			} else
				break;
		}

		if (isValueBits) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		if (isPrime && isBase && isValue) {
			copy_bigint_attr(&prime, KEY_PRI_DH_PRIME(pvk));

			copy_bigint_attr(&base, KEY_PRI_DH_BASE(pvk));

			copy_bigint_attr(&value, KEY_PRI_DH_VALUE(pvk));
		} else {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
		break;

	case CKK_X9_42_DH:
		if (isModulus || isPubExpo || isPriExpo || isPrime1 ||
		    isPrime2 || isExpo1 || isExpo2 || isCoef ||
		    isValueBits) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		if (mode == SOFT_GEN_KEY || mode == SOFT_UNWRAP_KEY) {
			if (isPrime || isSubprime || isBase || isValue) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			} else
				break;
		}

		if (isPrime && isSubprime && isBase && isValue) {
			copy_bigint_attr(&prime, KEY_PRI_DH942_PRIME(pvk));

			copy_bigint_attr(&base, KEY_PRI_DH942_BASE(pvk));

			copy_bigint_attr(&subprime,
			    KEY_PRI_DH942_SUBPRIME(pvk));

			copy_bigint_attr(&value, KEY_PRI_DH942_VALUE(pvk));
		} else {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
		break;

	case CKK_EC:
		if (isModulus || isPubExpo || isPrime ||
		    isPrime1 || isPrime2 || isExpo1 || isExpo2 || isCoef ||
		    isValueBits || isBase) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;

		} else if (isECParam) {
			rv = soft_add_extra_attr(&param_tmp, new_object);
			if (rv != CKR_OK)
				goto fail_cleanup;
			string_attr_cleanup(&param_tmp);
		}
		if (isValue) {
			copy_bigint_attr(&value, KEY_PRI_EC_VALUE(pvk));
		}
		break;

	default:
		rv = CKR_TEMPLATE_INCONSISTENT;
		goto fail_cleanup;
	}

	/* Set up object. */
	new_object->object_type = object_type;
	new_object->bool_attr_mask = attr_mask;
	if (isLabel) {
		rv = soft_add_extra_attr(&string_tmp, new_object);
		if (rv != CKR_OK)
			goto fail_cleanup;
		string_attr_cleanup(&string_tmp);
	}
	big_finish(&x);
	big_finish(&q);

	return (rv);

fail_cleanup:
	/*
	 * cleanup the storage allocated to the local variables.
	 */
	bigint_attr_cleanup(&modulus);
	bigint_attr_cleanup(&priexpo);
	bigint_attr_cleanup(&prime);
	bigint_attr_cleanup(&subprime);
	bigint_attr_cleanup(&base);
	bigint_attr_cleanup(&value);
	bigint_attr_cleanup(&pubexpo);
	bigint_attr_cleanup(&prime1);
	bigint_attr_cleanup(&prime2);
	bigint_attr_cleanup(&expo1);
	bigint_attr_cleanup(&expo2);
	bigint_attr_cleanup(&coef);
	string_attr_cleanup(&string_tmp);
	string_attr_cleanup(&param_tmp);
	big_finish(&x);
	big_finish(&q);

	/*
	 * cleanup the storage allocated inside the object itself.
	 */
	soft_cleanup_object(new_object);

	return (rv);
}


/*
 * Build a Secret Key Object.
 *
 * - Parse the object's template, and when an error is detected such as
 *   invalid attribute type, invalid attribute value, etc., return
 *   with appropriate return value.
 * - Set up attribute mask field in the object for the supplied common
 *   attributes that have boolean type.
 * - Build the attribute_info struct to hold the value of each supplied
 *   attribute that has byte array type. Link attribute_info structs
 *   together to form the extra attribute list of the object.
 * - Allocate storage for the Secret Key object.
 * - Build the Secret Key object. Allocate storage to hold the big integer
 *   value for the attribute CKA_VALUE that is required for all the key
 *   types supported by secret key object.
 * This function is called internally with mode = SOFT_CREATE_OBJ_INT.
 *
 */
CK_RV
soft_build_secret_key_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
    soft_object_t *new_object, CK_ULONG mode, CK_ULONG key_len,
    CK_KEY_TYPE key_type)
{

	ulong_t		i;
	CK_KEY_TYPE	keytype = (CK_KEY_TYPE)~0UL;
	uint64_t	attr_mask = SECRET_KEY_DEFAULT;
	CK_RV		rv = CKR_OK;
	int		isLabel = 0;
	/* Must set flags if mode != SOFT_UNWRAP_KEY, else must not set */
	int		isValue = 0;
	/* Must not set flags if mode != SOFT_UNWRAP_KEY, else optional */
	int		isValueLen = 0;

	CK_ATTRIBUTE	string_tmp;

	secret_key_obj_t  *sck;
	uchar_t	object_type = 0;

	string_tmp.pValue = NULL;

	/* Allocate storage for Secret Key Object. */
	sck = calloc(1, sizeof (secret_key_obj_t));
	if (sck == NULL) {
		rv = CKR_HOST_MEMORY;
		goto fail_cleanup;
	}

	new_object->object_class_u.secret_key = sck;
	new_object->class = CKO_SECRET_KEY;

	for (i = 0; i < ulAttrNum; i++) {

		/* Secret Key Object Attributes */
		switch (template[i].type) {

		/* common key attributes */
		case CKA_KEY_TYPE:
			keytype = *((CK_KEY_TYPE*)template[i].pValue);
			break;

		case CKA_ID:
		case CKA_START_DATE:
		case CKA_END_DATE:
			/*
			 * Allocate storage to hold the attribute
			 * value with byte array type, and add it to
			 * the extra attribute list of the object.
			 */
			rv = soft_add_extra_attr(&template[i],
			    new_object);
			if (rv != CKR_OK) {
				goto fail_cleanup;
			}
			break;

		/*
		 * The following key related attribute types must
		 * not be specified by C_CreateObject and C_GenerateKey.
		 */
		case CKA_LOCAL:
		case CKA_KEY_GEN_MECHANISM:
		case CKA_ALWAYS_SENSITIVE:
		case CKA_NEVER_EXTRACTABLE:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;

		/* Key related boolean attributes */
		case CKA_DERIVE:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= DERIVE_BOOL_ON;
			break;

		case CKA_SENSITIVE:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= SENSITIVE_BOOL_ON;
			break;

		case CKA_ENCRYPT:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= ENCRYPT_BOOL_ON;
			else
				attr_mask &= ~ENCRYPT_BOOL_ON;
			break;

		case CKA_DECRYPT:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= DECRYPT_BOOL_ON;
			else
				attr_mask &= ~DECRYPT_BOOL_ON;
			break;

		case CKA_SIGN:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= SIGN_BOOL_ON;
			else
				attr_mask &= ~SIGN_BOOL_ON;
			break;

		case CKA_VERIFY:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= VERIFY_BOOL_ON;
			else
				attr_mask &= ~VERIFY_BOOL_ON;
			break;

		case CKA_WRAP:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= WRAP_BOOL_ON;
			else
				attr_mask &= ~WRAP_BOOL_ON;
			break;

		case CKA_UNWRAP:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= UNWRAP_BOOL_ON;
			else
				attr_mask &= ~UNWRAP_BOOL_ON;
			break;

		case CKA_EXTRACTABLE:
			if (*(CK_BBOOL *)template[i].pValue)
				attr_mask |= EXTRACTABLE_BOOL_ON;
			else
				attr_mask &= ~EXTRACTABLE_BOOL_ON;
			break;

		case CKA_MODIFIABLE:
			if ((*(CK_BBOOL *)template[i].pValue) == B_FALSE)
				attr_mask |= NOT_MODIFIABLE_BOOL_ON;
			break;

		case CKA_VALUE:
			isValue = 1;
			if (mode == SOFT_CREATE_OBJ) {
				if ((template[i].ulValueLen == 0) ||
				    (template[i].pValue == NULL)) {
					rv = CKR_ATTRIBUTE_VALUE_INVALID;
					goto fail_cleanup;
				}
			}

			/*
			 * Copyin attribute from template
			 * to a local variable.
			 */
			rv = get_bigint_attr_from_template((biginteger_t *)sck,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_VALUE_LEN:
			isValueLen = 1;
			rv = get_ulong_attr_from_template(&sck->sk_value_len,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_LABEL:
			isLabel = 1;
			rv = get_string_from_template(&string_tmp,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		default:
			rv = soft_parse_common_attrs(&template[i],
			    &object_type);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		}
	} /* For */

	switch (mode) {
	case SOFT_CREATE_OBJ:
	case SOFT_CREATE_OBJ_INT:
	case SOFT_DERIVE_KEY_DH:
		/*
		 * The key type must be specified in the application's
		 * template. Otherwise, returns error.
		 */
		if (keytype == (CK_KEY_TYPE)~0UL) {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
		break;

	case SOFT_GEN_KEY:
		if (keytype == (CK_KEY_TYPE)~0UL) {
			/*
			 * The key type is not specified in the application's
			 * template, so we use the implied key type based on
			 * the mechanism.
			 */
			keytype = key_type;
		} else {
			if (keytype != key_type) {
				/*
				 * The key type specified in the template
				 * does not match the implied key type based
				 * on the mechanism.
				 */
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}
		}

		/*
		 * If a key_len is passed as a parameter, it has to
		 * match the one found in the template.
		 */
		if (key_len > 0) {
			if (isValueLen && sck->sk_value_len != key_len) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}
			isValueLen = 1;
			sck->sk_value_len = key_len;
		}
		break;

	case SOFT_UNWRAP_KEY:
		/*
		 * Note that, for mode SOFT_UNWRAP_KEY, key type is not
		 * implied by the mechanism (key_type), so if it is not
		 * specified from the attribute template (keytype), it is
		 * incomplete.
		 */
		if (keytype == (CK_KEY_TYPE)~0UL) {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
		break;

	case SOFT_DERIVE_KEY_OTHER:
		/*
		 * For CKM_MD5_KEY_DERIVATION & CKM_SHA1_KEY_DERIVATION, the
		 * key type is optional.
		 */
		if (keytype == (CK_KEY_TYPE)~0UL) {
			keytype = key_type;
		}
		break;
	}

	switch (mode) {
	case SOFT_CREATE_OBJ:
	case SOFT_CREATE_OBJ_INT:
		switch (keytype) {
		case CKK_RC4:
			if (!isValue) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) ||
			    (sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKK_GENERIC_SECRET:
			if (!isValue) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			break;

		case CKK_AES:
			if (!isValue) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			if ((sck->sk_value_len != AES_MIN_KEY_BYTES) &&
			    (sck->sk_value_len != AES_192_KEY_BYTES) &&
			    (sck->sk_value_len != AES_MAX_KEY_BYTES)) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKK_BLOWFISH:
			if (!isValue) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			if ((sck->sk_value_len < BLOWFISH_MINBYTES) ||
			    (sck->sk_value_len > BLOWFISH_MAXBYTES)) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}

			break;

		case CKK_DES:
			if (!isValue) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			if (sck->sk_value_len != DES_KEYSIZE) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKK_DES2:
			if (!isValue) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			if (sck->sk_value_len != DES2_KEYSIZE) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKK_DES3:
			if (!isValue) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			if (sck->sk_value_len != DES3_KEYSIZE) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		default:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		if (isValueLen) {
			/*
			 * Templates for internal object creation come from
			 * applications calls to C_DeriveKey(), for which it
			 * is OKey to pass a CKA_VALUE_LEN attribute, as
			 * long as it does not conflict with the length of the
			 * CKA_VALUE attribute.
			 */
			if ((mode != SOFT_CREATE_OBJ_INT) ||
			    ((key_len > 0) && sck->sk_value_len != key_len)) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}
		}
		break;

	case SOFT_GEN_KEY:
		/* CKA_VALUE must not be specified */
		if (isValue) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		switch (keytype) {
		/*
		 * CKA_VALUE_LEN must be specified by C_GenerateKey
		 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
		 */
		case CKK_RC4:
			if (!isValueLen) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			;
			if ((sck->sk_value_len < ARCFOUR_MIN_KEY_BYTES) ||
			    (sck->sk_value_len > ARCFOUR_MAX_KEY_BYTES)) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKK_GENERIC_SECRET:
			/* arbitrary key length - no length checking */
			if (!isValueLen) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			break;

		case CKK_AES:
			if (!isValueLen) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}

			if ((sck->sk_value_len != AES_MIN_KEY_BYTES) &&
			    (sck->sk_value_len != AES_192_KEY_BYTES) &&
			    (sck->sk_value_len != AES_MAX_KEY_BYTES)) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}

			break;

		case CKK_BLOWFISH:
			if (!isValueLen) {
				rv = CKR_TEMPLATE_INCOMPLETE;
				goto fail_cleanup;
			}
			if ((sck->sk_value_len < BLOWFISH_MINBYTES) ||
			    (sck->sk_value_len > BLOWFISH_MAXBYTES)) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}

			break;

		case CKK_DES:
		case CKK_DES2:
		case CKK_DES3:
			/* CKA_VALUE_LEN attribute does not apply to DES<n> */
			if (isValueLen) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}
			break;

		default:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}
		break;

	case SOFT_UNWRAP_KEY:
		/*
		 * According to v2.11 of PKCS#11 spec, neither CKA_VALUE nor
		 * CKA_VALUE_LEN can be be specified; however v2.20 has this
		 * restriction removed, perhaps because it makes it hard to
		 * determine variable-length key sizes.  This case statement
		 * complied with v2.20.
		 */
		if (isValue) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		switch (keytype) {
		/*
		 * CKA_VALUE_LEN is optional
		 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET
		 * and the unwrapping mech is *_CBC_PAD.
		 *
		 * CKA_VALUE_LEN is required
		 * if key is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET
		 * and the unwrapping mech is *_ECB or *_CBC.
		 *
		 * since mech is not known at this point, CKA_VALUE_LEN is
		 * treated as optional and the caller needs to enforce it.
		 */
		case CKK_RC4:
			if (isValueLen) {
				if ((sck->sk_value_len <
				    ARCFOUR_MIN_KEY_BYTES) ||
				    (sck->sk_value_len >
				    ARCFOUR_MAX_KEY_BYTES)) {
					rv = CKR_ATTRIBUTE_VALUE_INVALID;
					goto fail_cleanup;
				}
			}
			break;

		case CKK_GENERIC_SECRET:
			/* arbitrary key length - no length checking */
			break;

		case CKK_AES:
			if (isValueLen) {
				if ((sck->sk_value_len != AES_MIN_KEY_BYTES) &&
				    (sck->sk_value_len != AES_192_KEY_BYTES) &&
				    (sck->sk_value_len != AES_MAX_KEY_BYTES)) {
					rv = CKR_ATTRIBUTE_VALUE_INVALID;
					goto fail_cleanup;
				}
			}
			break;

		case CKK_BLOWFISH:
			if (isValueLen &&
			    ((sck->sk_value_len < BLOWFISH_MINBYTES) ||
			    (sck->sk_value_len > BLOWFISH_MAXBYTES))) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKK_DES:
		case CKK_DES2:
		case CKK_DES3:
			/* CKA_VALUE_LEN attribute does not apply to DES<n> */
			if (isValueLen) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}
			break;

		default:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}
		break;

	case SOFT_DERIVE_KEY_DH:
		/* CKA_VALUE must not be specified */
		if (isValue) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		switch (keytype) {
		/*
		 * CKA_VALUE_LEN is optional
		 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
		 */
		case CKK_RC4:
			if (isValueLen) {
				if ((sck->sk_value_len <
				    ARCFOUR_MIN_KEY_BYTES) ||
				    (sck->sk_value_len >
				    ARCFOUR_MAX_KEY_BYTES)) {
					rv = CKR_ATTRIBUTE_VALUE_INVALID;
					goto fail_cleanup;
				}
			}
			break;

		case CKK_GENERIC_SECRET:
			/* arbitrary key length - no length checking */
			break;

		case CKK_AES:
			if (isValueLen) {
				if ((sck->sk_value_len != AES_MIN_KEY_BYTES) &&
				    (sck->sk_value_len != AES_192_KEY_BYTES) &&
				    (sck->sk_value_len != AES_MAX_KEY_BYTES)) {
					rv = CKR_ATTRIBUTE_VALUE_INVALID;
					goto fail_cleanup;
				}
			}

			break;

		case CKK_BLOWFISH:
			if (isValueLen &&
			    ((sck->sk_value_len < BLOWFISH_MINBYTES) ||
			    (sck->sk_value_len > BLOWFISH_MAXBYTES))) {
				rv = CKR_ATTRIBUTE_VALUE_INVALID;
				goto fail_cleanup;
			}
			break;

		case CKK_DES:
		case CKK_DES2:
		case CKK_DES3:
			/* CKA_VALUE_LEN attribute does not apply to DES<n> */
			if (isValueLen) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}
			break;

		default:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}
		break;

	case SOFT_DERIVE_KEY_OTHER:
		/* CKA_VALUE must not be specified */
		if (isValue) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		switch (keytype) {
		/*
		 * CKA_VALUE_LEN is an optional attribute for
		 * CKM_SHA1_KEY_DERIVATION and CKM_MD5_KEY_DERIVATION
		 * if mech is CKK_RC4, CKK_AES, CKK_GENERIC_SECRET.
		 */
		case CKK_RC4:
		case CKK_GENERIC_SECRET:
		case CKK_AES:
		case CKK_BLOWFISH:
			/*
			 * No need to check key length value here, it will be
			 * validated later in soft_key_derive_check_length().
			 */
			break;

		case CKK_DES:
		case CKK_DES2:
		case CKK_DES3:
			/* CKA_VALUE_LEN attribute does not apply to DES<n> */
			if (isValueLen) {
				rv = CKR_TEMPLATE_INCONSISTENT;
				goto fail_cleanup;
			}
			break;

		default:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}
		break;
	}

	/* Set up object. */
	new_object->key_type = keytype;
	new_object->object_type = object_type;
	new_object->bool_attr_mask = attr_mask;
	if (isLabel) {
		rv = soft_add_extra_attr(&string_tmp, new_object);
		if (rv != CKR_OK)
			goto fail_cleanup;
		string_attr_cleanup(&string_tmp);
	}
	return (rv);

fail_cleanup:
	/*
	 * cleanup the storage allocated to the local variables.
	 */
	bigint_attr_cleanup((biginteger_t *)sck);
	string_attr_cleanup(&string_tmp);

	/*
	 * cleanup the storage allocated inside the object itself.
	 */
	soft_cleanup_object(new_object);

	return (rv);
}


/*
 * Build a Domain Parameter Object.
 *
 * - Parse the object's template, and when an error is detected such as
 *   invalid attribute type, invalid attribute value, etc., return
 *   with appropriate return value.
 * - Allocate storage for the Domain Parameter object.
 * - Build the Domain Parameter object according to the key type. Allocate
 *   storage to hold the big integer value for the supplied attributes
 *   that are required for a certain key type.
 *
 */
CK_RV
soft_build_domain_parameters_object(CK_ATTRIBUTE_PTR template,
    CK_ULONG ulAttrNum, soft_object_t *new_object)
{

	ulong_t		i;
	CK_KEY_TYPE	keytype = (CK_KEY_TYPE)~0UL;
	CK_RV		rv = CKR_OK;
	int		isLabel = 0;
	/* Must set flags */
	int		isPrime = 0;
	int		isSubprime = 0;
	int		isBase = 0;
	/* Must not set flags */
	int		isPrimeBits = 0;
	int		isSubPrimeBits = 0;

	biginteger_t	prime;
	biginteger_t	subprime;
	biginteger_t	base;
	CK_ATTRIBUTE	string_tmp;

	domain_obj_t	*dom;
	uchar_t	object_type = 0;

	/* prevent bigint_attr_cleanup from freeing invalid attr value */
	(void) memset(&prime, 0x0, sizeof (biginteger_t));
	(void) memset(&subprime, 0x0, sizeof (biginteger_t));
	(void) memset(&base, 0x0, sizeof (biginteger_t));
	string_tmp.pValue = NULL;

	for (i = 0; i < ulAttrNum; i++) {

		/* Domain Parameters Object Attributes */
		switch (template[i].type) {

		/* common domain parameter attribute */
		case CKA_KEY_TYPE:
			keytype = *((CK_KEY_TYPE*)template[i].pValue);
			break;

		/*
		 * The following common domain parameter attribute
		 * must not be specified by C_CreateObject.
		 */
		case CKA_LOCAL:
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;

		/*
		 * The following domain parameter attributes must be
		 * specified according to the key type by
		 * C_CreateObject.
		 */
		case CKA_PRIME:
			isPrime = 1;
			/*
			 * Copyin big integer attribute from template
			 * to a local variable.
			 */
			rv = get_bigint_attr_from_template(&prime,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_SUBPRIME:
			isSubprime = 1;
			rv = get_bigint_attr_from_template(&subprime,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_BASE:
			isBase = 1;
			rv = get_bigint_attr_from_template(&base,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		case CKA_PRIME_BITS:
			isPrimeBits = 1;
			break;

		case CKA_SUB_PRIME_BITS:
			isSubPrimeBits = 1;
			break;

		case CKA_LABEL:
			isLabel = 1;
			rv = get_string_from_template(&string_tmp,
			    &template[i]);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		default:
			rv = soft_parse_common_attrs(&template[i],
			    &object_type);
			if (rv != CKR_OK)
				goto fail_cleanup;
			break;

		}
	} /* For */

	/* Allocate storage for Domain Parameters Object. */
	dom = calloc(1, sizeof (domain_obj_t));
	if (dom == NULL) {
		rv = CKR_HOST_MEMORY;
		goto fail_cleanup;
	}

	new_object->object_class_u.domain = dom;
	new_object->class = CKO_DOMAIN_PARAMETERS;

	if (keytype == (CK_KEY_TYPE)~0UL) {
		rv = CKR_TEMPLATE_INCOMPLETE;
		goto fail_cleanup;
	}

	new_object->key_type = keytype;

	/* Supported key types of the Domain Parameters Object */
	switch (keytype) {
	case CKK_DSA:
		if (isPrimeBits || isSubPrimeBits) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		if (isPrime && isSubprime && isBase) {
			/*
			 * Copy big integer attribute value to the
			 * designated place in the domain parameter
			 * object.
			 */
			copy_bigint_attr(&prime, KEY_DOM_DSA_PRIME(dom));

			copy_bigint_attr(&subprime, KEY_DOM_DSA_SUBPRIME(dom));

			copy_bigint_attr(&base, KEY_DOM_DSA_BASE(dom));
		} else {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
		break;

	case CKK_DH:
		if (isPrimeBits || isSubprime || isSubPrimeBits) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		if (isPrime && isBase) {
			copy_bigint_attr(&prime, KEY_DOM_DH_PRIME(dom));

			copy_bigint_attr(&base, KEY_DOM_DH_BASE(dom));
		} else {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
		break;

	case CKK_X9_42_DH:
		if (isPrimeBits || isSubPrimeBits) {
			rv = CKR_TEMPLATE_INCONSISTENT;
			goto fail_cleanup;
		}

		if (isPrime && isSubprime && isBase) {
			copy_bigint_attr(&prime, KEY_DOM_DH942_PRIME(dom));

			copy_bigint_attr(&base, KEY_DOM_DH942_BASE(dom));

			copy_bigint_attr(&subprime,
			    KEY_DOM_DH942_SUBPRIME(dom));
		} else {
			rv = CKR_TEMPLATE_INCOMPLETE;
			goto fail_cleanup;
		}
		break;

	default:
		rv = CKR_TEMPLATE_INCONSISTENT;
		goto fail_cleanup;
	}

	new_object->object_type = object_type;

	if (isLabel) {
		rv = soft_add_extra_attr(&string_tmp, new_object);
		if (rv != CKR_OK)
			goto fail_cleanup;
		string_attr_cleanup(&string_tmp);
	}

	return (rv);

fail_cleanup:
	/*
	 * cleanup the storage allocated to the local variables.
	 */
	bigint_attr_cleanup(&prime);
	bigint_attr_cleanup(&subprime);
	bigint_attr_cleanup(&base);
	string_attr_cleanup(&string_tmp);

	/*
	 * cleanup the storage allocated inside the object itself.
	 */
	soft_cleanup_object(new_object);

	return (rv);
}

/*
 * Build a Certificate Object
 *
 * - Parse the object's template, and when an error is detected such as
 *   invalid attribute type, invalid attribute value, etc., return
 *   with appropriate return value.
 * - Allocate storage for the Certificate object
 */
static CK_RV
soft_build_certificate_object(CK_ATTRIBUTE_PTR template,
    CK_ULONG ulAttrNum, soft_object_t *new_object,
    CK_CERTIFICATE_TYPE cert_type)
{
	uint64_t	attr_mask = 0;
	CK_RV		rv = CKR_OK;
	CK_ULONG	i;
	int		owner_set = 0;
	int		value_set = 0;
	int		subject_set = 0;
	certificate_obj_t *cert;
	/* certificate type defaults to the value given as a parameter */
	CK_CERTIFICATE_TYPE certtype = cert_type;
	CK_ATTRIBUTE	string_tmp;
	int		isLabel = 0;
	uchar_t		object_type = 0;

	/*
	 * Look for the certificate type attribute and do some
	 * sanity checking before creating the structures.
	 */
	for (i = 0; i < ulAttrNum; i++) {
		/* Certificate Object Attributes */
		switch (template[i].type) {
			case CKA_CERTIFICATE_TYPE:
				certtype =
				    *((CK_CERTIFICATE_TYPE*)template[i].pValue);
				break;
			case CKA_SUBJECT:
				subject_set = 1;
				break;
			case CKA_OWNER:
				owner_set = 1;
				break;
			case CKA_VALUE:
				value_set = 1;
				break;
		}
	}

	/* The certificate type MUST be specified */
	if (certtype != CKC_X_509 && certtype != CKC_X_509_ATTR_CERT)
		return (CKR_TEMPLATE_INCOMPLETE);

	/*
	 * For X.509 certs, the CKA_SUBJECT and CKA_VALUE
	 * must be present at creation time.
	 */
	if (certtype == CKC_X_509 &&
	    (!subject_set || !value_set))
		return (CKR_TEMPLATE_INCOMPLETE);

	/*
	 * For X.509 Attribute certs, the CKA_OWNER and CKA_VALUE
	 * must be present at creation time.
	 */
	if (certtype == CKC_X_509_ATTR_CERT &&
	    (!owner_set || !value_set))
		return (CKR_TEMPLATE_INCOMPLETE);

	string_tmp.pValue = NULL;
	cert = calloc(1, sizeof (certificate_obj_t));
	if (cert == NULL) {
		return (CKR_HOST_MEMORY);
	}
	cert->certificate_type = certtype;

	for (i = 0; i < ulAttrNum; i++) {
		/* Certificate Object Attributes */
		switch (certtype) {
			case CKC_X_509:
			switch (template[i].type) {
				case CKA_SUBJECT:
					rv = get_cert_attr_from_template(
					    &cert->cert_type_u.x509.subject,
					    &template[i]);
					break;
				case CKA_VALUE:
					rv = get_cert_attr_from_template(
					    &cert->cert_type_u.x509.value,
					    &template[i]);
					break;
				case CKA_LABEL:
					isLabel = 1;
					rv = get_string_from_template(
					    &string_tmp,
					    &template[i]);
					if (rv != CKR_OK)
						goto fail_cleanup;
					break;
				case CKA_ID:
				case CKA_ISSUER:
				case CKA_SERIAL_NUMBER:
					rv = soft_add_extra_attr(&template[i],
					    new_object);
					break;
				case CKA_MODIFIABLE:
					if ((*(CK_BBOOL *)template[i].pValue) ==
					    B_FALSE)
						attr_mask |=
						    NOT_MODIFIABLE_BOOL_ON;
					break;
				case CKA_CERTIFICATE_TYPE:
					break;
				default:
					rv = soft_parse_common_attrs(
					    &template[i], &object_type);
					if (rv != CKR_OK)
						goto fail_cleanup;
			}
			break;
			case CKC_X_509_ATTR_CERT:
			switch (template[i].type) {
				case CKA_OWNER:
					rv = get_cert_attr_from_template(
					    &cert->cert_type_u.x509_attr.owner,
					    &template[i]);
					break;
				case CKA_VALUE:
					rv = get_cert_attr_from_template(
					    &cert->cert_type_u.x509_attr.value,
					    &template[i]);
					break;
				case CKA_LABEL:
					isLabel = 1;
					rv = get_string_from_template(
					    &string_tmp, &template[i]);
					if (rv != CKR_OK)
						goto fail_cleanup;
					break;
				case CKA_SERIAL_NUMBER:
				case CKA_AC_ISSUER:
				case CKA_ATTR_TYPES:
					rv = soft_add_extra_attr(&template[i],
					    new_object);
					break;

				case CKA_MODIFIABLE:
					if ((*(CK_BBOOL *)template[i].pValue) ==
					    B_FALSE)
						attr_mask |=
						    NOT_MODIFIABLE_BOOL_ON;
					break;
				case CKA_CERTIFICATE_TYPE:
					break;
				default:
					rv = soft_parse_common_attrs(
					    &template[i], &object_type);
					if (rv != CKR_OK)
						goto fail_cleanup;
					break;
			}
			break;
			default:
				rv = CKR_TEMPLATE_INCOMPLETE;
				break;
		}
	}

	if (rv == CKR_OK) {
		new_object->object_class_u.certificate = cert;
		new_object->class = CKO_CERTIFICATE;
		new_object->object_type = object_type;
		new_object->cert_type = certtype;
		new_object->bool_attr_mask = attr_mask;
		if (isLabel) {
			rv = soft_add_extra_attr(&string_tmp, new_object);
			if (rv != CKR_OK)
				goto fail_cleanup;
			string_attr_cleanup(&string_tmp);
		}
	}

fail_cleanup:
	if (rv != CKR_OK) {
		soft_cleanup_cert_object(new_object);
	}
	return (rv);
}


/*
 * Validate the attribute types in the object's template. Then,
 * call the appropriate build function according to the class of
 * the object specified in the template.
 *
 * Note: The following classes of objects are supported:
 * - CKO_PUBLIC_KEY
 * - CKO_PRIVATE_KEY
 * - CKO_SECRET_KEY
 * - CKO_DOMAIN_PARAMETERS
 * - CKO_CERTIFICATE
 *
 */
CK_RV
soft_build_object(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
    soft_object_t *new_object)
{

	CK_OBJECT_CLASS class = (CK_OBJECT_CLASS)~0UL;
	CK_RV		rv = CKR_OK;

	if (template == NULL) {
		return (CKR_ARGUMENTS_BAD);
	}

	/* Validate the attribute type in the template. */
	rv = soft_validate_attr(template, ulAttrNum, &class);
	if (rv != CKR_OK)
		return (rv);
	/*
	 * CKA_CLASS is a mandatory attribute for C_CreateObject
	 */
	if (class == (CK_OBJECT_CLASS)~0UL)
		return (CKR_TEMPLATE_INCOMPLETE);

	/*
	 * Call the appropriate function based on the supported class
	 * of the object.
	 */
	switch (class) {
	case CKO_PUBLIC_KEY:
		rv = soft_build_public_key_object(template, ulAttrNum,
		    new_object, SOFT_CREATE_OBJ, (CK_KEY_TYPE)~0UL);
		break;

	case CKO_PRIVATE_KEY:
		rv = soft_build_private_key_object(template, ulAttrNum,
		    new_object, SOFT_CREATE_OBJ, (CK_KEY_TYPE)~0UL);
		break;

	case CKO_SECRET_KEY:
		rv = soft_build_secret_key_object(template, ulAttrNum,
		    new_object, SOFT_CREATE_OBJ, 0, (CK_KEY_TYPE)~0UL);
		break;

	case CKO_DOMAIN_PARAMETERS:
		rv = soft_build_domain_parameters_object(template, ulAttrNum,
		    new_object);
		break;

	case CKO_CERTIFICATE:
		rv = soft_build_certificate_object(template, ulAttrNum,
		    new_object, (CK_CERTIFICATE_TYPE)~0UL);
		break;

	case CKO_DATA:
	case CKO_HW_FEATURE:
	case CKO_VENDOR_DEFINED:
	default:
		return (CKR_ATTRIBUTE_VALUE_INVALID);
	}

	return (rv);
}

/*
 * Validate the attribute types in the object's template. Then,
 * call the appropriate build function according to the class of
 * the object specified in the template.
 *
 */
CK_RV
soft_build_key(CK_ATTRIBUTE_PTR template, CK_ULONG ulAttrNum,
    soft_object_t *new_object, CK_OBJECT_CLASS class, CK_KEY_TYPE key_type,
    CK_ULONG key_len, CK_ULONG mode)
{

	CK_RV		rv = CKR_OK;
	CK_OBJECT_CLASS temp_class = (CK_OBJECT_CLASS)~0UL;

	/* Validate the attribute type in the template. */
	if ((template != NULL) && (ulAttrNum != 0)) {
		rv = soft_validate_attr(template, ulAttrNum, &temp_class);
		if (rv != CKR_OK)
			return (rv);
	}

	/*
	 * If either the class from the parameter list ("class") or
	 * the class from the template ("temp_class") is not specified,
	 * try to use the other one.
	 */
	if (temp_class == (CK_OBJECT_CLASS)~0UL) {
		temp_class = class;
	} else if (class == (CK_OBJECT_CLASS)~0UL) {
		class = temp_class;
	}

	/* If object class is still not specified, template is incomplete. */
	if (class == (CK_OBJECT_CLASS)~0UL)
		return (CKR_TEMPLATE_INCOMPLETE);

	/* Class should match if specified in both parameters and template. */
	if (class != temp_class)
		return (CKR_TEMPLATE_INCONSISTENT);

	/*
	 * Call the appropriate function based on the supported class
	 * of the object.
	 */
	switch (class) {
	case CKO_PUBLIC_KEY:

		/* Unwrapping public keys is not supported. */
		if (mode == SOFT_UNWRAP_KEY) {
			rv = CKR_ATTRIBUTE_VALUE_INVALID;
			break;
		}

		rv = soft_build_public_key_object(template, ulAttrNum,
		    new_object, mode, key_type);
		break;

	case CKO_PRIVATE_KEY:

		rv = soft_build_private_key_object(template, ulAttrNum,
		    new_object, mode, key_type);
		break;

	case CKO_SECRET_KEY:

		rv = soft_build_secret_key_object(template, ulAttrNum,
		    new_object, mode, key_len, key_type);
		break;

	case CKO_DOMAIN_PARAMETERS:

		/* Unwrapping domain parameters is not supported. */
		if (mode == SOFT_UNWRAP_KEY) {
			rv = CKR_ATTRIBUTE_VALUE_INVALID;
			break;
		}

		rv = soft_build_domain_parameters_object(template, ulAttrNum,
		    new_object);
		break;

	case CKO_DATA:
	case CKO_CERTIFICATE:
	case CKO_HW_FEATURE:
	case CKO_VENDOR_DEFINED:
	default:
		return (CKR_ATTRIBUTE_VALUE_INVALID);
	}

	return (rv);
}


/*
 * Get the value of a requested attribute that is common to all supported
 * classes (i.e. public key, private key, secret key, domain parameters,
 * and certificate classes).
 */
CK_RV
soft_get_common_attrs(soft_object_t *object_p, CK_ATTRIBUTE_PTR template,
    uchar_t object_type)
{

	CK_RV rv = CKR_OK;

	switch (template->type) {

	case CKA_CLASS:
		return (get_ulong_attr_from_object(object_p->class,
		    template));

	/* default boolean attributes */
	case CKA_TOKEN:
		template->ulValueLen = sizeof (CK_BBOOL);
		if (template->pValue == NULL) {
			return (CKR_OK);
		}
		if (object_type & TOKEN_OBJECT)
			*((CK_BBOOL *)template->pValue) = B_TRUE;
		else
			*((CK_BBOOL *)template->pValue) = B_FALSE;
		break;

	case CKA_PRIVATE:

		template->ulValueLen = sizeof (CK_BBOOL);
		if (template->pValue == NULL) {
			return (CKR_OK);
		}
		if (object_type & PRIVATE_OBJECT)
			*((CK_BBOOL *)template->pValue) = B_TRUE;
		else
			*((CK_BBOOL *)template->pValue) = B_FALSE;
		break;

	case CKA_MODIFIABLE:
		template->ulValueLen = sizeof (CK_BBOOL);
		if (template->pValue == NULL) {
			return (CKR_OK);
		}
		if ((object_p->bool_attr_mask) & NOT_MODIFIABLE_BOOL_ON)
			*((CK_BBOOL *)template->pValue) = B_FALSE;
		else
			*((CK_BBOOL *)template->pValue) = B_TRUE;
		break;

	case CKA_LABEL:
		return (get_extra_attr_from_object(object_p,
		    template));

	default:
		/*
		 * The specified attribute for the object is invalid.
		 * (the object does not possess such an attribute.)
		 */
		template->ulValueLen = (CK_ULONG)-1;
		return (CKR_ATTRIBUTE_TYPE_INVALID);
	}

	return (rv);
}

/*
 * Get the value of a requested attribute that is common to all key objects
 * (i.e. public key, private key and secret key).
 */
CK_RV
soft_get_common_key_attrs(soft_object_t *object_p, CK_ATTRIBUTE_PTR template)
{

	switch (template->type) {

	case CKA_KEY_TYPE:
		return (get_ulong_attr_from_object(object_p->key_type,
		    template));

	case CKA_ID:
	case CKA_START_DATE:
	case CKA_END_DATE:
		/*
		 * The above extra attributes have byte array type.
		 */
		return (get_extra_attr_from_object(object_p,
		    template));

	/* Key related boolean attributes */
	case CKA_LOCAL:
		return (get_bool_attr_from_object(object_p,
		    LOCAL_BOOL_ON, template));

	case CKA_DERIVE:
		return (get_bool_attr_from_object(object_p,
		    DERIVE_BOOL_ON, template));

	case CKA_KEY_GEN_MECHANISM:
		return (get_ulong_attr_from_object(object_p->mechanism,
		    template));

	default:
		return (CKR_ATTRIBUTE_TYPE_INVALID);
	}
}

/*
 * Get the value of a requested attribute of a Public Key Object.
 *
 * Rule: All the attributes in the public key object can be revealed.
 */
CK_RV
soft_get_public_key_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template)
{

	CK_RV		rv = CKR_OK;
	CK_KEY_TYPE	keytype = object_p->key_type;

	switch (template->type) {

	case CKA_SUBJECT:
	case CKA_EC_PARAMS:
		/*
		 * The above extra attributes have byte array type.
		 */
		return (get_extra_attr_from_object(object_p,
		    template));

	/* Key related boolean attributes */
	case CKA_ENCRYPT:
		return (get_bool_attr_from_object(object_p,
		    ENCRYPT_BOOL_ON, template));

	case CKA_VERIFY:
		return (get_bool_attr_from_object(object_p,
		    VERIFY_BOOL_ON, template));

	case CKA_VERIFY_RECOVER:
		return (get_bool_attr_from_object(object_p,
		    VERIFY_RECOVER_BOOL_ON, template));

	case CKA_WRAP:
		return (get_bool_attr_from_object(object_p,
		    WRAP_BOOL_ON, template));

	case CKA_TRUSTED:
		return (get_bool_attr_from_object(object_p,
		    TRUSTED_BOOL_ON, template));

	case CKA_MODULUS:
		/*
		 * This attribute is valid only for RSA public key
		 * object.
		 */
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PUB_RSA_MOD(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_PUBLIC_EXPONENT:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PUB_RSA_PUBEXPO(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_MODULUS_BITS:
		if (keytype == CKK_RSA) {
			return (get_ulong_attr_from_object(
			    OBJ_PUB_RSA_MOD_BITS(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_PRIME:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DSA_PRIME(object_p), template));

		case CKK_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DH_PRIME(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DH942_PRIME(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_SUBPRIME:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DSA_SUBPRIME(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DH942_SUBPRIME(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_BASE:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DSA_BASE(object_p), template));

		case CKK_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DH_BASE(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DH942_BASE(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_EC_POINT:
		return (get_bigint_attr_from_object(
		    OBJ_PUB_EC_POINT(object_p), template));

	case CKA_VALUE:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DSA_VALUE(object_p), template));

		case CKK_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DH_VALUE(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PUB_DH942_VALUE(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	default:
		/*
		 * First, get the value of the request attribute defined
		 * in the list of common key attributes. If the request
		 * attribute is not found in that list, then get the
		 * attribute from the list of common attributes.
		 */
		rv = soft_get_common_key_attrs(object_p, template);
		if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
			rv = soft_get_common_attrs(object_p, template,
			    object_p->object_type);
		}
		break;
	}

	return (rv);
}


/*
 * Get the value of a requested attribute of a Private Key Object.
 *
 * Rule: All the attributes in the private key object can be revealed
 *       except those marked with footnote number "7" when the object
 *       has its CKA_SENSITIVE attribute set to TRUE or its
 *       CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.).
 */
CK_RV
soft_get_private_key_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template)
{

	CK_RV		rv = CKR_OK;
	CK_KEY_TYPE	keytype = object_p->key_type;


	/*
	 * If the following specified attributes for the private key
	 * object cannot be revealed because the object is sensitive
	 * or unextractable, then the ulValueLen is set to -1.
	 */
	if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) ||
	    !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {

		switch (template->type) {
		case CKA_PRIVATE_EXPONENT:
		case CKA_PRIME_1:
		case CKA_PRIME_2:
		case CKA_EXPONENT_1:
		case CKA_EXPONENT_2:
		case CKA_COEFFICIENT:
		case CKA_VALUE:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_SENSITIVE);
		}
	}

	switch (template->type) {

	case CKA_SUBJECT:
	case CKA_EC_PARAMS:
		/*
		 * The above extra attributes have byte array type.
		 */
		return (get_extra_attr_from_object(object_p,
		    template));

	/* Key related boolean attributes */
	case CKA_SENSITIVE:
		return (get_bool_attr_from_object(object_p,
		    SENSITIVE_BOOL_ON, template));

	case CKA_SECONDARY_AUTH:
		return (get_bool_attr_from_object(object_p,
		    SECONDARY_AUTH_BOOL_ON, template));

	case CKA_DECRYPT:
		return (get_bool_attr_from_object(object_p,
		    DECRYPT_BOOL_ON, template));

	case CKA_SIGN:
		return (get_bool_attr_from_object(object_p,
		    SIGN_BOOL_ON, template));

	case CKA_SIGN_RECOVER:
		return (get_bool_attr_from_object(object_p,
		    SIGN_RECOVER_BOOL_ON, template));

	case CKA_UNWRAP:
		return (get_bool_attr_from_object(object_p,
		    UNWRAP_BOOL_ON, template));

	case CKA_EXTRACTABLE:
		return (get_bool_attr_from_object(object_p,
		    EXTRACTABLE_BOOL_ON, template));

	case CKA_ALWAYS_SENSITIVE:
		return (get_bool_attr_from_object(object_p,
		    ALWAYS_SENSITIVE_BOOL_ON, template));

	case CKA_NEVER_EXTRACTABLE:
		return (get_bool_attr_from_object(object_p,
		    NEVER_EXTRACTABLE_BOOL_ON, template));

	case CKA_MODULUS:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PRI_RSA_MOD(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_PUBLIC_EXPONENT:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PRI_RSA_PUBEXPO(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_PRIVATE_EXPONENT:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PRI_RSA_PRIEXPO(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_PRIME_1:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PRI_RSA_PRIME1(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_PRIME_2:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PRI_RSA_PRIME2(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_EXPONENT_1:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PRI_RSA_EXPO1(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_EXPONENT_2:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PRI_RSA_EXPO2(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_COEFFICIENT:
		if (keytype == CKK_RSA) {
			return (get_bigint_attr_from_object(
			    OBJ_PRI_RSA_COEF(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_VALUE_BITS:
		if (keytype == CKK_DH) {
			return (get_ulong_attr_from_object(
			    OBJ_PRI_DH_VAL_BITS(object_p), template));
		} else {
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}

	case CKA_PRIME:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DSA_PRIME(object_p), template));

		case CKK_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DH_PRIME(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DH942_PRIME(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_SUBPRIME:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DSA_SUBPRIME(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DH942_SUBPRIME(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_BASE:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DSA_BASE(object_p), template));

		case CKK_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DH_BASE(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DH942_BASE(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_VALUE:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DSA_VALUE(object_p), template));

		case CKK_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DH_VALUE(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_DH942_VALUE(object_p), template));

		case CKK_EC:
			return (get_bigint_attr_from_object(
			    OBJ_PRI_EC_VALUE(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	default:
		/*
		 * First, get the value of the request attribute defined
		 * in the list of common key attributes. If the request
		 * attribute is not found in that list, then get the
		 * attribute from the list of common attributes.
		 */
		rv = soft_get_common_key_attrs(object_p, template);
		if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
			rv = soft_get_common_attrs(object_p, template,
			    object_p->object_type);
		}
		break;
	}

	return (rv);
}


/*
 * Get the value of a requested attribute of a Secret Key Object.
 *
 * Rule: All the attributes in the secret key object can be revealed
 *       except those marked with footnote number "7" when the object
 *       has its CKA_SENSITIVE attribute set to TRUE or its
 *       CKA_EXTRACTABLE attribute set to FALSE (p.88 in PKCS11 spec.).
 */
CK_RV
soft_get_secret_key_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template)
{

	CK_RV		rv = CKR_OK;
	CK_KEY_TYPE	keytype = object_p->key_type;

	switch (template->type) {

	/* Key related boolean attributes */
	case CKA_SENSITIVE:
		return (get_bool_attr_from_object(object_p,
		    SENSITIVE_BOOL_ON, template));

	case CKA_ENCRYPT:
		return (get_bool_attr_from_object(object_p,
		    ENCRYPT_BOOL_ON, template));

	case CKA_DECRYPT:
		return (get_bool_attr_from_object(object_p,
		    DECRYPT_BOOL_ON, template));

	case CKA_SIGN:
		return (get_bool_attr_from_object(object_p,
		    SIGN_BOOL_ON, template));

	case CKA_VERIFY:
		return (get_bool_attr_from_object(object_p,
		    VERIFY_BOOL_ON, template));

	case CKA_WRAP:
		return (get_bool_attr_from_object(object_p,
		    WRAP_BOOL_ON, template));

	case CKA_UNWRAP:
		return (get_bool_attr_from_object(object_p,
		    UNWRAP_BOOL_ON, template));

	case CKA_EXTRACTABLE:
		return (get_bool_attr_from_object(object_p,
		    EXTRACTABLE_BOOL_ON, template));

	case CKA_ALWAYS_SENSITIVE:
		return (get_bool_attr_from_object(object_p,
		    ALWAYS_SENSITIVE_BOOL_ON, template));

	case CKA_NEVER_EXTRACTABLE:
		return (get_bool_attr_from_object(object_p,
		    NEVER_EXTRACTABLE_BOOL_ON, template));

	case CKA_VALUE:
	case CKA_VALUE_LEN:
		/*
		 * If the specified attribute for the secret key object
		 * cannot be revealed because the object is sensitive
		 * or unextractable, then the ulValueLen is set to -1.
		 */
		if ((object_p->bool_attr_mask & SENSITIVE_BOOL_ON) ||
		    !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_SENSITIVE);
		}

		switch (keytype) {
		case CKK_RC4:
		case CKK_GENERIC_SECRET:
		case CKK_RC5:
		case CKK_DES:
		case CKK_DES2:
		case CKK_DES3:
		case CKK_CDMF:
		case CKK_AES:
		case CKK_BLOWFISH:
			if (template->type == CKA_VALUE_LEN) {
				return (get_ulong_attr_from_object(
				    OBJ_SEC_VALUE_LEN(object_p),
				    template));
			} else {
				return (get_bigint_attr_from_object(
				    (biginteger_t *)OBJ_SEC(object_p),
				    template));
			}
		default:
			template->ulValueLen = (CK_ULONG)-1;
			rv = CKR_ATTRIBUTE_TYPE_INVALID;
			break;
		}
		break;

	default:
		/*
		 * First, get the value of the request attribute defined
		 * in the list of common key attributes. If the request
		 * attribute is not found in that list, then get the
		 * attribute from the list of common attributes.
		 */
		rv = soft_get_common_key_attrs(object_p, template);
		if (rv == CKR_ATTRIBUTE_TYPE_INVALID) {
			rv = soft_get_common_attrs(object_p, template,
			    object_p->object_type);
		}
		break;
	}

	return (rv);
}


/*
 * Get the value of a requested attribute of a Domain Parameters Object.
 *
 * Rule: All the attributes in the domain parameters object can be revealed.
 */
CK_RV
soft_get_domain_parameters_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template)
{

	CK_RV		rv = CKR_OK;
	CK_KEY_TYPE	keytype = object_p->key_type;

	switch (template->type) {

	case CKA_KEY_TYPE:
		return (get_ulong_attr_from_object(keytype,
		    template));

	case CKA_LOCAL:
		return (get_bool_attr_from_object(object_p,
		    LOCAL_BOOL_ON, template));

	case CKA_PRIME:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_DOM_DSA_PRIME(object_p), template));

		case CKK_DH:
			return (get_bigint_attr_from_object(
			    OBJ_DOM_DH_PRIME(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_DOM_DH942_PRIME(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_SUBPRIME:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_DOM_DSA_SUBPRIME(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_DOM_DH942_SUBPRIME(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_BASE:
		switch (keytype) {
		case CKK_DSA:
			return (get_bigint_attr_from_object(
			    OBJ_DOM_DSA_BASE(object_p), template));

		case CKK_DH:
			return (get_bigint_attr_from_object(
			    OBJ_DOM_DH_BASE(object_p), template));

		case CKK_X9_42_DH:
			return (get_bigint_attr_from_object(
			    OBJ_DOM_DH942_BASE(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_PRIME_BITS:
		switch (keytype) {
		case CKK_DSA:
			return (get_ulong_attr_from_object(
			    OBJ_DOM_DSA_PRIME_BITS(object_p), template));

		case CKK_DH:
			return (get_ulong_attr_from_object(
			    OBJ_DOM_DH_PRIME_BITS(object_p), template));

		case CKK_X9_42_DH:
			return (get_ulong_attr_from_object(
			    OBJ_DOM_DH942_PRIME_BITS(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	case CKA_SUB_PRIME_BITS:
		switch (keytype) {
		case CKK_X9_42_DH:
			return (get_ulong_attr_from_object(
			    OBJ_DOM_DH942_SUBPRIME_BITS(object_p), template));

		default:
			template->ulValueLen = (CK_ULONG)-1;
			return (CKR_ATTRIBUTE_TYPE_INVALID);
		}

	default:
		/*
		 * Get the value of a common attribute.
		 */
		rv = soft_get_common_attrs(object_p, template,
		    object_p->object_type);
		break;
	}

	return (rv);
}

/*
 * Get certificate attributes from an object.
 * return CKR_ATTRIBUTE_TYPE_INVALID if the requested type
 * does not exist in the certificate.
 */
CK_RV
soft_get_certificate_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template)
{
	CK_CERTIFICATE_TYPE certtype = object_p->cert_type;
	cert_attr_t src;

	switch (template->type) {
		case CKA_SUBJECT:
			if (certtype == CKC_X_509) {
				return (get_cert_attr_from_object(
				    X509_CERT_SUBJECT(object_p), template));
			}
			break;
		case CKA_VALUE:
			if (certtype == CKC_X_509) {
				return (get_cert_attr_from_object(
				    X509_CERT_VALUE(object_p), template));
			} else if (certtype == CKC_X_509_ATTR_CERT) {
				return (get_cert_attr_from_object(
				    X509_ATTR_CERT_VALUE(object_p), template));
			}
			break;
		case CKA_OWNER:
			if (certtype == CKC_X_509_ATTR_CERT) {
				return (get_cert_attr_from_object(
				    X509_ATTR_CERT_OWNER(object_p), template));
			}
			break;
		case CKA_CERTIFICATE_TYPE:
			src.value = (CK_BYTE *)&certtype;
			src.length = sizeof (certtype);
			return (get_cert_attr_from_object(&src, template));
		case CKA_TRUSTED:
			return (get_bool_attr_from_object(object_p,
			    TRUSTED_BOOL_ON, template));
		case CKA_ID:
		case CKA_ISSUER:
		case CKA_SERIAL_NUMBER:
		case CKA_AC_ISSUER:
		case CKA_ATTR_TYPES:
			return (get_extra_attr_from_object(object_p,
			    template));
		default:
			return (soft_get_common_attrs(object_p, template,
			    object_p->object_type));
	}

	/*
	 * If we got this far, then the combination of certificate type
	 * and requested attribute is invalid.
	 */
	return (CKR_ATTRIBUTE_TYPE_INVALID);
}

CK_RV
soft_set_certificate_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template, boolean_t copy)
{
	CK_CERTIFICATE_TYPE certtype = object_p->cert_type;

	switch (template->type) {
		case CKA_SUBJECT:
			if (certtype == CKC_X_509) {
				/* SUBJECT attr cannot be modified. */
				return (CKR_ATTRIBUTE_READ_ONLY);
			}
			break;
		case CKA_OWNER:
			if (certtype == CKC_X_509_ATTR_CERT) {
				/* OWNER attr cannot be modified. */
				return (CKR_ATTRIBUTE_READ_ONLY);
			}
			break;
		case CKA_VALUE:
			/* VALUE attr cannot be modified. */
			return (CKR_ATTRIBUTE_READ_ONLY);
		case CKA_ID:
		case CKA_ISSUER:
			if (certtype == CKC_X_509) {
				return (set_extra_attr_to_object(object_p,
				    template->type, template));
			}
			break;
		case CKA_AC_ISSUER:
		case CKA_ATTR_TYPES:
			if (certtype == CKC_X_509_ATTR_CERT) {
				return (set_extra_attr_to_object(object_p,
				    template->type, template));
			}
			break;
		case CKA_SERIAL_NUMBER:
		case CKA_LABEL:
			return (set_extra_attr_to_object(object_p,
			    template->type, template));
		default:
			return (soft_set_common_storage_attribute(
			    object_p, template, copy));
	}

	/*
	 * If we got this far, then the combination of certificate type
	 * and requested attribute is invalid.
	 */
	return (CKR_ATTRIBUTE_TYPE_INVALID);
}

/*
 * Call the appropriate get attribute function according to the class
 * of object.
 *
 * The caller of this function holds the lock on the object.
 */
CK_RV
soft_get_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template)
{

	CK_RV		rv = CKR_OK;
	CK_OBJECT_CLASS class = object_p->class;

	switch (class) {
	case CKO_PUBLIC_KEY:
		rv = soft_get_public_key_attribute(object_p, template);
		break;

	case CKO_PRIVATE_KEY:
		rv = soft_get_private_key_attribute(object_p, template);
		break;

	case CKO_SECRET_KEY:
		rv = soft_get_secret_key_attribute(object_p, template);
		break;

	case CKO_DOMAIN_PARAMETERS:
		rv = soft_get_domain_parameters_attribute(object_p, template);
		break;

	case CKO_CERTIFICATE:
		rv = soft_get_certificate_attribute(object_p, template);
		break;

	default:
		/*
		 * If the specified attribute for the object is invalid
		 * (the object does not possess such as attribute), then
		 * the ulValueLen is modified to hold the value -1.
		 */
		template->ulValueLen = (CK_ULONG)-1;
		return (CKR_ATTRIBUTE_TYPE_INVALID);
	}

	return (rv);

}

CK_RV
soft_set_common_storage_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template, boolean_t copy)
{

	CK_RV rv = CKR_OK;

	switch (template->type) {

	case CKA_TOKEN:
		if (copy) {
			if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
				if (!soft_keystore_status(KEYSTORE_INITIALIZED))
					return (CKR_DEVICE_REMOVED);
				object_p->object_type |= TOKEN_OBJECT;
			}
		} else {
			rv = CKR_ATTRIBUTE_READ_ONLY;
		}

		break;

	case CKA_PRIVATE:
		if (copy) {
			if ((*(CK_BBOOL *)template->pValue) == B_TRUE) {
				(void) pthread_mutex_lock(&soft_giant_mutex);
				if (!soft_slot.authenticated) {
					/*
					 * Check if this is the special case
					 * when the PIN is never initialized
					 * in the keystore. If true, we will
					 * let it pass here and let it fail
					 * with CKR_PIN_EXPIRED later on.
					 */
					if (!soft_slot.userpin_change_needed) {
						(void) pthread_mutex_unlock(
						    &soft_giant_mutex);
						return (CKR_USER_NOT_LOGGED_IN);
					}
				}
				(void) pthread_mutex_unlock(&soft_giant_mutex);
				object_p->object_type |= PRIVATE_OBJECT;
			}
		} else {
			rv = CKR_ATTRIBUTE_READ_ONLY;
		}
		break;

	case CKA_MODIFIABLE:
		if (copy) {
			if ((*(CK_BBOOL *)template->pValue) == TRUE)
				object_p->bool_attr_mask &=
				    ~NOT_MODIFIABLE_BOOL_ON;
			else
				object_p->bool_attr_mask |=
				    NOT_MODIFIABLE_BOOL_ON;
		} else {
			rv = CKR_ATTRIBUTE_READ_ONLY;
		}
		break;

	case CKA_CLASS:
		rv = CKR_ATTRIBUTE_READ_ONLY;
		break;

	default:
		rv = CKR_TEMPLATE_INCONSISTENT;
	}

	return (rv);
}

/*
 * Set the value of an attribute that is common to all key objects
 * (i.e. public key, private key and secret key).
 */
CK_RV
soft_set_common_key_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template, boolean_t copy)
{

	switch (template->type) {

	case CKA_LABEL:
		/*
		 * Only the LABEL can be modified in the common storage
		 * object attributes after the object is created.
		 */
		return (set_extra_attr_to_object(object_p,
		    CKA_LABEL, template));

	case CKA_ID:
		return (set_extra_attr_to_object(object_p,
		    CKA_ID, template));

	case CKA_START_DATE:
		return (set_extra_attr_to_object(object_p,
		    CKA_START_DATE, template));

	case CKA_END_DATE:
		return (set_extra_attr_to_object(object_p,
		    CKA_END_DATE, template));

	case CKA_DERIVE:
		return (set_bool_attr_to_object(object_p,
		    DERIVE_BOOL_ON, template));

	case CKA_KEY_TYPE:
	case CKA_LOCAL:
	case CKA_KEY_GEN_MECHANISM:
		return (CKR_ATTRIBUTE_READ_ONLY);

	default:
		return (soft_set_common_storage_attribute(object_p,
		    template, copy));

	}

}


/*
 * Set the value of an attribute of a Public Key Object.
 *
 * Rule: The attributes marked with footnote number "8" in the PKCS11
 *       spec may be modified (p.88 in PKCS11 spec.).
 */
CK_RV
soft_set_public_key_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template, boolean_t copy)
{
	CK_KEY_TYPE	keytype = object_p->key_type;

	switch (template->type) {

	case CKA_SUBJECT:
		return (set_extra_attr_to_object(object_p,
		    CKA_SUBJECT, template));

	case CKA_ENCRYPT:
		return (set_bool_attr_to_object(object_p,
		    ENCRYPT_BOOL_ON, template));

	case CKA_VERIFY:
		return (set_bool_attr_to_object(object_p,
		    VERIFY_BOOL_ON, template));

	case CKA_VERIFY_RECOVER:
		return (set_bool_attr_to_object(object_p,
		    VERIFY_RECOVER_BOOL_ON, template));

	case CKA_WRAP:
		return (set_bool_attr_to_object(object_p,
		    WRAP_BOOL_ON, template));

	case CKA_MODULUS:
	case CKA_MODULUS_BITS:
	case CKA_PUBLIC_EXPONENT:
		if (keytype == CKK_RSA)
			return (CKR_ATTRIBUTE_READ_ONLY);
		break;

	case CKA_SUBPRIME:
		if ((keytype == CKK_DSA) ||
		    (keytype == CKK_X9_42_DH))
			return (CKR_ATTRIBUTE_READ_ONLY);
		break;

	case CKA_PRIME:
	case CKA_BASE:
	case CKA_VALUE:
		if ((keytype == CKK_DSA) ||
		    (keytype == CKK_DH) ||
		    (keytype == CKK_X9_42_DH))
			return (CKR_ATTRIBUTE_READ_ONLY);
		break;

	default:
		/*
		 * Set the value of a common key attribute.
		 */
		return (soft_set_common_key_attribute(object_p,
		    template, copy));

	}
	/*
	 * If we got this far, then the combination of key type
	 * and requested attribute is invalid.
	 */
	return (CKR_ATTRIBUTE_TYPE_INVALID);
}


/*
 * Set the value of an attribute of a Private Key Object.
 *
 * Rule: The attributes marked with footnote number "8" in the PKCS11
 *       spec may be modified (p.88 in PKCS11 spec.).
 */
CK_RV
soft_set_private_key_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template, boolean_t copy)
{
	CK_KEY_TYPE	keytype = object_p->key_type;

	switch (template->type) {

	case CKA_SUBJECT:
		return (set_extra_attr_to_object(object_p,
		    CKA_SUBJECT, template));

	case CKA_SENSITIVE:
		/*
		 * Cannot set SENSITIVE to FALSE if it is already ON.
		 */
		if (((*(CK_BBOOL *)template->pValue) == B_FALSE) &&
		    (object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) {
			return (CKR_ATTRIBUTE_READ_ONLY);
		}

		if (*(CK_BBOOL *)template->pValue)
			object_p->bool_attr_mask |= SENSITIVE_BOOL_ON;
		return (CKR_OK);

	case CKA_DECRYPT:
		return (set_bool_attr_to_object(object_p,
		    DECRYPT_BOOL_ON, template));

	case CKA_SIGN:
		return (set_bool_attr_to_object(object_p,
		    SIGN_BOOL_ON, template));

	case CKA_SIGN_RECOVER:
		return (set_bool_attr_to_object(object_p,
		    SIGN_RECOVER_BOOL_ON, template));

	case CKA_UNWRAP:
		return (set_bool_attr_to_object(object_p,
		    UNWRAP_BOOL_ON, template));

	case CKA_EXTRACTABLE:
		/*
		 * Cannot set EXTRACTABLE to TRUE if it is already OFF.
		 */
		if ((*(CK_BBOOL *)template->pValue) &&
		    !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
			return (CKR_ATTRIBUTE_READ_ONLY);
		}

		if ((*(CK_BBOOL *)template->pValue) == B_FALSE)
			object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON;
		return (CKR_OK);

	case CKA_MODULUS:
	case CKA_PUBLIC_EXPONENT:
	case CKA_PRIVATE_EXPONENT:
	case CKA_PRIME_1:
	case CKA_PRIME_2:
	case CKA_EXPONENT_1:
	case CKA_EXPONENT_2:
	case CKA_COEFFICIENT:
		if (keytype == CKK_RSA) {
			return (CKR_ATTRIBUTE_READ_ONLY);
		}
		break;

	case CKA_SUBPRIME:
		if ((keytype == CKK_DSA) ||
		    (keytype == CKK_X9_42_DH))
			return (CKR_ATTRIBUTE_READ_ONLY);
		break;

	case CKA_PRIME:
	case CKA_BASE:
	case CKA_VALUE:
		if ((keytype == CKK_DSA) ||
		    (keytype == CKK_DH) ||
		    (keytype == CKK_X9_42_DH))
			return (CKR_ATTRIBUTE_READ_ONLY);
		break;

	case CKA_VALUE_BITS:
		if (keytype == CKK_DH)
			return (CKR_ATTRIBUTE_READ_ONLY);
		break;

	default:
		/*
		 * Set the value of a common key attribute.
		 */
		return (soft_set_common_key_attribute(object_p,
		    template, copy));
	}

	/*
	 * If we got this far, then the combination of key type
	 * and requested attribute is invalid.
	 */
	return (CKR_ATTRIBUTE_TYPE_INVALID);
}

/*
 * Set the value of an attribute of a Secret Key Object.
 *
 * Rule: The attributes marked with footnote number "8" in the PKCS11
 *       spec may be modified (p.88 in PKCS11 spec.).
 */
CK_RV
soft_set_secret_key_attribute(soft_object_t *object_p,
    CK_ATTRIBUTE_PTR template, boolean_t copy)
{
	CK_KEY_TYPE	keytype = object_p->key_type;

	switch (template->type) {

	case CKA_SENSITIVE:
		/*
		 * Cannot set SENSITIVE to FALSE if it is already ON.
		 */
		if (((*(CK_BBOOL *)template->pValue) == B_FALSE) &&
		    (object_p->bool_attr_mask & SENSITIVE_BOOL_ON)) {
			return (CKR_ATTRIBUTE_READ_ONLY);
		}

		if (*(CK_BBOOL *)template->pValue)
			object_p->bool_attr_mask |= SENSITIVE_BOOL_ON;
		return (CKR_OK);

	case CKA_ENCRYPT:
		return (set_bool_attr_to_object(object_p,
		    ENCRYPT_BOOL_ON, template));

	case CKA_DECRYPT:
		return (set_bool_attr_to_object(object_p,
		    DECRYPT_BOOL_ON, template));

	case CKA_SIGN:
		return (set_bool_attr_to_object(object_p,
		    SIGN_BOOL_ON, template));

	case CKA_VERIFY:
		return (set_bool_attr_to_object(object_p,
		    VERIFY_BOOL_ON, template));

	case CKA_WRAP:
		return (set_bool_attr_to_object(object_p,
		    WRAP_BOOL_ON, template));

	case CKA_UNWRAP:
		return (set_bool_attr_to_object(object_p,
		    UNWRAP_BOOL_ON, template));

	case CKA_EXTRACTABLE:
		/*
		 * Cannot set EXTRACTABLE to TRUE if it is already OFF.
		 */
		if ((*(CK_BBOOL *)template->pValue) &&
		    !(object_p->bool_attr_mask & EXTRACTABLE_BOOL_ON)) {
			return (CKR_ATTRIBUTE_READ_ONLY);
		}

		if ((*(CK_BBOOL *)template->pValue) == B_FALSE)
			object_p->bool_attr_mask &= ~EXTRACTABLE_BOOL_ON;
		return (CKR_OK);

	case CKA_VALUE:
		return (CKR_ATTRIBUTE_READ_ONLY);

	case CKA_VALUE_LEN:
		if ((keytype == CKK_RC4) ||
		    (keytype == CKK_GENERIC_SECRET) ||
		    (keytype == CKK_AES) ||
		    (keytype == CKK_BLOWFISH))
			return (CKR_ATTRIBUTE_READ_ONLY);
		break;

	default:
		/*
		 * Set the value of a common key attribute.
		 */
		return (soft_set_common_key_attribute(object_p,
		    template, copy));

	}
	/*
	 * If we got this far, then the combination of key type
	 * and requested attribute is invalid.
	 */
	return (CKR_ATTRIBUTE_TYPE_INVALID);
}


/*
 * Call the appropriate set attribute function according to the class
 * of object.
 *
 * The caller of this function does not hold the lock on the original
 * object, since this function is setting the attribute on the new object
 * that is being modified.
 *
 * Argument copy: TRUE when called by C_CopyObject,
 *		  FALSE when called by C_SetAttributeValue.
 */
CK_RV
soft_set_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template,
    boolean_t copy)
{

	CK_RV		rv = CKR_OK;
	CK_OBJECT_CLASS	class = object_p->class;

	switch (class) {

	case CKO_PUBLIC_KEY:
		rv = soft_set_public_key_attribute(object_p, template, copy);
		break;

	case CKO_PRIVATE_KEY:
		rv = soft_set_private_key_attribute(object_p, template, copy);
		break;

	case CKO_SECRET_KEY:
		rv = soft_set_secret_key_attribute(object_p, template, copy);
		break;

	case CKO_DOMAIN_PARAMETERS:
		switch (template->type) {
		case CKA_LABEL:
			/*
			 * Only the LABEL can be modified in the common
			 * storage object attributes after the object is
			 * created.
			 */
			return (set_extra_attr_to_object(object_p,
			    CKA_LABEL, template));
		default:
			return (CKR_TEMPLATE_INCONSISTENT);
		}
	case CKO_CERTIFICATE:
		rv = soft_set_certificate_attribute(object_p, template, copy);
		break;

	default:
		/*
		 * If the template specifies a value of an attribute
		 * which is incompatible with other existing attributes
		 * of the object, then fails with return code
		 * CKR_TEMPLATE_INCONSISTENT.
		 */
		rv = CKR_TEMPLATE_INCONSISTENT;
		break;
	}

	return (rv);
}

CK_RV
soft_get_public_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
    uchar_t *value, uint32_t *value_len)
{
	uint32_t len = 0;
	switch (type) {

	/* The following attributes belong to RSA */
	case CKA_MODULUS:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PUB_RSA_MOD(key))->big_value,
		    *value_len);

		break;

	case CKA_PUBLIC_EXPONENT:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PUB_RSA_PUBEXPO(key))->big_value,
		    *value_len);

		break;

	/* The following attributes belong to DSA and DH */
	case CKA_PRIME:

		if (key->key_type == CKK_DSA)
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))->
			    big_value_len;
#endif	/* __sparcv9 */
		else
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PUB_DH_PRIME(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PUB_DH_PRIME(key))->
			    big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (key->key_type == CKK_DSA)
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PUB_DSA_PRIME(key))->big_value,
			    *value_len);
		else
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PUB_DH_PRIME(key))->big_value,
			    *value_len);

		break;

	case CKA_SUBPRIME:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PUB_DSA_SUBPRIME(key))->big_value,
		    *value_len);

		break;

	case CKA_BASE:

		if (key->key_type == CKK_DSA)
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PUB_DSA_BASE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PUB_DSA_BASE(key))->
			    big_value_len;
#endif	/* __sparcv9 */
		else
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PUB_DH_BASE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PUB_DH_BASE(key))->
			    big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (key->key_type == CKK_DSA)
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PUB_DSA_BASE(key))->big_value,
			    *value_len);
		else
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PUB_DH_BASE(key))->big_value,
			    *value_len);
		break;

	case CKA_VALUE:

		if (key->key_type == CKK_DSA)
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))->
			    big_value_len;
#endif	/* __sparcv9 */
		else
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PUB_DH_VALUE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PUB_DH_VALUE(key))->
			    big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (key->key_type == CKK_DSA)
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PUB_DSA_VALUE(key))->big_value,
			    *value_len);
		else
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PUB_DH_VALUE(key))->big_value,
			    *value_len);

		break;
	}

	return (CKR_OK);
}


CK_RV
soft_get_private_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
    uchar_t *value, uint32_t *value_len)
{

	uint32_t len = 0;

	switch (type) {

	/* The following attributes belong to RSA */
	case CKA_MODULUS:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PRI_RSA_MOD(key))->big_value,
		    *value_len);

		break;

	case CKA_PRIVATE_EXPONENT:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PRI_RSA_PRIEXPO(key))->big_value,
		    *value_len);

		break;

	case CKA_PRIME_1:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value_len;
#endif	/* __sparcv9 */

		if (len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (*value_len == 0) {
			return (CKR_OK);
		}

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PRI_RSA_PRIME1(key))->big_value,
		    *value_len);

		break;

	case CKA_PRIME_2:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value_len;
#endif	/* __sparcv9 */

		if (len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (*value_len == 0) {
			return (CKR_OK);
		}

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PRI_RSA_PRIME2(key))->big_value,
		    *value_len);

		break;

	case CKA_EXPONENT_1:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value_len;
#endif	/* __sparcv9 */

		if (len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (*value_len == 0) {
			return (CKR_OK);
		}

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PRI_RSA_EXPO1(key))->big_value,
		    *value_len);

		break;

	case CKA_EXPONENT_2:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value_len;
#endif	/* __sparcv9 */

		if (len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (*value_len == 0) {
			return (CKR_OK);
		}

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PRI_RSA_EXPO2(key))->big_value,
		    *value_len);

		break;

	case CKA_COEFFICIENT:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value_len;
#endif	/* __sparcv9 */

		if (len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (*value_len == 0) {
			return (CKR_OK);
		}

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PRI_RSA_COEF(key))->big_value,
		    *value_len);

		break;

	/* The following attributes belong to DSA and DH */
	case CKA_PRIME:

		if (key->key_type == CKK_DSA)
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))->
			    big_value_len;
#endif	/* __sparcv9 */
		else
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PRI_DH_PRIME(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PRI_DH_PRIME(key))->
			    big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (key->key_type == CKK_DSA)
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PRI_DSA_PRIME(key))->big_value,
			    *value_len);
		else
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PRI_DH_PRIME(key))->big_value,
			    *value_len);

		break;

	case CKA_SUBPRIME:
#ifdef	__sparcv9
		len =
		    /* LINTED */
		    (uint32_t)
		    ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value_len;
#else	/* !__sparcv9 */
		len =
		    ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		(void) memcpy(value,
		    ((biginteger_t *)OBJ_PRI_DSA_SUBPRIME(key))->big_value,
		    *value_len);

		break;

	case CKA_BASE:

		if (key->key_type == CKK_DSA)
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PRI_DSA_BASE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PRI_DSA_BASE(key))->
			    big_value_len;
#endif	/* __sparcv9 */
		else
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PRI_DH_BASE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PRI_DH_BASE(key))->
			    big_value_len;
#endif	/* __sparcv9 */

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (key->key_type == CKK_DSA)
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PRI_DSA_BASE(key))->big_value,
			    *value_len);
		else
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PRI_DH_BASE(key))->big_value,
			    *value_len);
		break;

	case CKA_VALUE:

		if (key->key_type == CKK_DSA) {
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->
			    big_value_len;
#endif	/* __sparcv9 */
		} else if (key->key_type == CKK_DH) {
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->
			    big_value_len;
#endif	/* __sparcv9 */
		} else {
#ifdef	__sparcv9
			len =
			    /* LINTED */
			    (uint32_t)
			    ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->
			    big_value_len;
#else	/* !__sparcv9 */
			len =
			    ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->
			    big_value_len;
#endif	/* __sparcv9 */
		}

		/* This attribute MUST BE set */
		if (len == 0 || len > *value_len) {
			return (CKR_ATTRIBUTE_VALUE_INVALID);
		}
		*value_len = len;

		if (key->key_type == CKK_DSA) {
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->big_value,
			    *value_len);
		} else if (key->key_type == CKK_DH) {
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->big_value,
			    *value_len);
		} else {
			(void) memcpy(value,
			    ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->big_value,
			    *value_len);
		}

		break;
	}

	return (CKR_OK);

}

static CK_RV
copy_bigint(biginteger_t *new_bigint, biginteger_t *old_bigint)
{
	new_bigint->big_value =
	    malloc((sizeof (CK_BYTE) * new_bigint->big_value_len));

	if (new_bigint->big_value == NULL) {
		return (CKR_HOST_MEMORY);
	}

	(void) memcpy(new_bigint->big_value, old_bigint->big_value,
	    (sizeof (CK_BYTE) * new_bigint->big_value_len));

	return (CKR_OK);
}

static void
free_public_key_attr(public_key_obj_t *pbk, CK_KEY_TYPE key_type)
{
	if (pbk == NULL) {
		return;
	}

	switch (key_type) {
		case CKK_RSA:
			bigint_attr_cleanup(KEY_PUB_RSA_MOD(pbk));
			bigint_attr_cleanup(KEY_PUB_RSA_PUBEXPO(pbk));
			break;
		case CKK_DSA:
			bigint_attr_cleanup(KEY_PUB_DSA_PRIME(pbk));
			bigint_attr_cleanup(KEY_PUB_DSA_SUBPRIME(pbk));
			bigint_attr_cleanup(KEY_PUB_DSA_BASE(pbk));
			bigint_attr_cleanup(KEY_PUB_DSA_VALUE(pbk));
			break;
		case CKK_DH:
			bigint_attr_cleanup(KEY_PUB_DH_PRIME(pbk));
			bigint_attr_cleanup(KEY_PUB_DH_BASE(pbk));
			bigint_attr_cleanup(KEY_PUB_DH_VALUE(pbk));
			break;
		case CKK_EC:
			bigint_attr_cleanup(KEY_PUB_EC_POINT(pbk));
			break;
		case CKK_X9_42_DH:
			bigint_attr_cleanup(KEY_PUB_DH942_PRIME(pbk));
			bigint_attr_cleanup(KEY_PUB_DH942_SUBPRIME(pbk));
			bigint_attr_cleanup(KEY_PUB_DH942_BASE(pbk));
			bigint_attr_cleanup(KEY_PUB_DH942_VALUE(pbk));
			break;
		default:
			break;
	}
	free(pbk);
}

CK_RV
soft_copy_public_key_attr(public_key_obj_t *old_pub_key_obj_p,
    public_key_obj_t **new_pub_key_obj_p, CK_KEY_TYPE key_type)
{

	public_key_obj_t *pbk;
	CK_RV rv = CKR_OK;

	pbk = calloc(1, sizeof (public_key_obj_t));
	if (pbk == NULL) {
		return (CKR_HOST_MEMORY);
	}

	switch (key_type) {
		case CKK_RSA:
			(void) memcpy(KEY_PUB_RSA(pbk),
			    KEY_PUB_RSA(old_pub_key_obj_p),
			    sizeof (rsa_pub_key_t));
			/* copy modulus */
			rv = copy_bigint(KEY_PUB_RSA_MOD(pbk),
			    KEY_PUB_RSA_MOD(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}
			/* copy public exponent */
			rv = copy_bigint(KEY_PUB_RSA_PUBEXPO(pbk),
			    KEY_PUB_RSA_PUBEXPO(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		case CKK_DSA:
			(void) memcpy(KEY_PUB_DSA(pbk),
			    KEY_PUB_DSA(old_pub_key_obj_p),
			    sizeof (dsa_pub_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_PUB_DSA_PRIME(pbk),
			    KEY_PUB_DSA_PRIME(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy subprime */
			rv = copy_bigint(KEY_PUB_DSA_SUBPRIME(pbk),
			    KEY_PUB_DSA_SUBPRIME(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_PUB_DSA_BASE(pbk),
			    KEY_PUB_DSA_BASE(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy value */
			rv = copy_bigint(KEY_PUB_DSA_VALUE(pbk),
			    KEY_PUB_DSA_VALUE(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		case CKK_DH:
			(void) memcpy(KEY_PUB_DH(pbk),
			    KEY_PUB_DH(old_pub_key_obj_p),
			    sizeof (dh_pub_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_PUB_DH_PRIME(pbk),
			    KEY_PUB_DH_PRIME(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_PUB_DH_BASE(pbk),
			    KEY_PUB_DH_BASE(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy value */
			rv = copy_bigint(KEY_PUB_DH_VALUE(pbk),
			    KEY_PUB_DH_VALUE(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		case CKK_EC:
			(void) memcpy(KEY_PUB_EC(pbk),
			    KEY_PUB_EC(old_pub_key_obj_p),
			    sizeof (ec_pub_key_t));

			/* copy point */
			rv = copy_bigint(KEY_PUB_EC_POINT(pbk),
			    KEY_PUB_EC_POINT(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		case CKK_X9_42_DH:
			(void) memcpy(KEY_PUB_DH942(pbk),
			    KEY_PUB_DH942(old_pub_key_obj_p),
			    sizeof (dh942_pub_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_PUB_DH942_PRIME(pbk),
			    KEY_PUB_DH942_PRIME(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy subprime */
			rv = copy_bigint(KEY_PUB_DH942_SUBPRIME(pbk),
			    KEY_PUB_DH942_SUBPRIME(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_PUB_DH942_BASE(pbk),
			    KEY_PUB_DH942_BASE(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy value */
			rv = copy_bigint(KEY_PUB_DH942_VALUE(pbk),
			    KEY_PUB_DH942_VALUE(old_pub_key_obj_p));
			if (rv != CKR_OK) {
				free_public_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		default:
			break;
	}
	*new_pub_key_obj_p = pbk;
	return (rv);
}

static void
free_private_key_attr(private_key_obj_t *pbk, CK_KEY_TYPE key_type)
{
	if (pbk == NULL) {
		return;
	}

	switch (key_type) {
		case CKK_RSA:
			bigint_attr_cleanup(KEY_PRI_RSA_MOD(pbk));
			bigint_attr_cleanup(KEY_PRI_RSA_PUBEXPO(pbk));
			bigint_attr_cleanup(KEY_PRI_RSA_PRIEXPO(pbk));
			bigint_attr_cleanup(KEY_PRI_RSA_PRIME1(pbk));
			bigint_attr_cleanup(KEY_PRI_RSA_PRIME2(pbk));
			bigint_attr_cleanup(KEY_PRI_RSA_EXPO1(pbk));
			bigint_attr_cleanup(KEY_PRI_RSA_EXPO2(pbk));
			bigint_attr_cleanup(KEY_PRI_RSA_COEF(pbk));
			break;
		case CKK_DSA:
			bigint_attr_cleanup(KEY_PRI_DSA_PRIME(pbk));
			bigint_attr_cleanup(KEY_PRI_DSA_SUBPRIME(pbk));
			bigint_attr_cleanup(KEY_PRI_DSA_BASE(pbk));
			bigint_attr_cleanup(KEY_PRI_DSA_VALUE(pbk));
			break;
		case CKK_DH:
			bigint_attr_cleanup(KEY_PRI_DH_PRIME(pbk));
			bigint_attr_cleanup(KEY_PRI_DH_BASE(pbk));
			bigint_attr_cleanup(KEY_PRI_DH_VALUE(pbk));
			break;
		case CKK_EC:
			bigint_attr_cleanup(KEY_PRI_EC_VALUE(pbk));
			break;
		case CKK_X9_42_DH:
			bigint_attr_cleanup(KEY_PRI_DH942_PRIME(pbk));
			bigint_attr_cleanup(KEY_PRI_DH942_SUBPRIME(pbk));
			bigint_attr_cleanup(KEY_PRI_DH942_BASE(pbk));
			bigint_attr_cleanup(KEY_PRI_DH942_VALUE(pbk));
			break;
		default:
			break;
	}
	free(pbk);
}

CK_RV
soft_copy_private_key_attr(private_key_obj_t *old_pri_key_obj_p,
    private_key_obj_t **new_pri_key_obj_p, CK_KEY_TYPE key_type)
{
	CK_RV rv = CKR_OK;
	private_key_obj_t *pbk;

	pbk = calloc(1, sizeof (private_key_obj_t));
	if (pbk == NULL) {
		return (CKR_HOST_MEMORY);
	}

	switch (key_type) {
		case CKK_RSA:
			(void) memcpy(KEY_PRI_RSA(pbk),
			    KEY_PRI_RSA(old_pri_key_obj_p),
			    sizeof (rsa_pri_key_t));
			/* copy modulus */
			rv = copy_bigint(KEY_PRI_RSA_MOD(pbk),
			    KEY_PRI_RSA_MOD(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			/* copy public exponent */
			rv = copy_bigint(KEY_PRI_RSA_PUBEXPO(pbk),
			    KEY_PRI_RSA_PUBEXPO(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			/* copy private exponent */
			rv = copy_bigint(KEY_PRI_RSA_PRIEXPO(pbk),
			    KEY_PRI_RSA_PRIEXPO(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			/* copy prime_1 */
			rv = copy_bigint(KEY_PRI_RSA_PRIME1(pbk),
			    KEY_PRI_RSA_PRIME1(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			/* copy prime_2 */
			rv = copy_bigint(KEY_PRI_RSA_PRIME2(pbk),
			    KEY_PRI_RSA_PRIME2(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			/* copy exponent_1 */
			rv = copy_bigint(KEY_PRI_RSA_EXPO1(pbk),
			    KEY_PRI_RSA_EXPO1(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			/* copy exponent_2 */
			rv = copy_bigint(KEY_PRI_RSA_EXPO2(pbk),
			    KEY_PRI_RSA_EXPO2(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			/* copy coefficient */
			rv = copy_bigint(KEY_PRI_RSA_COEF(pbk),
			    KEY_PRI_RSA_COEF(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		case CKK_DSA:
			(void) memcpy(KEY_PRI_DSA(pbk),
			    KEY_PRI_DSA(old_pri_key_obj_p),
			    sizeof (dsa_pri_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_PRI_DSA_PRIME(pbk),
			    KEY_PRI_DSA_PRIME(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy subprime */
			rv = copy_bigint(KEY_PRI_DSA_SUBPRIME(pbk),
			    KEY_PRI_DSA_SUBPRIME(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_PRI_DSA_BASE(pbk),
			    KEY_PRI_DSA_BASE(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy value */
			rv = copy_bigint(KEY_PRI_DSA_VALUE(pbk),
			    KEY_PRI_DSA_VALUE(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		case CKK_DH:
			(void) memcpy(KEY_PRI_DH(pbk),
			    KEY_PRI_DH(old_pri_key_obj_p),
			    sizeof (dh_pri_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_PRI_DH_PRIME(pbk),
			    KEY_PRI_DH_PRIME(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_PRI_DH_BASE(pbk),
			    KEY_PRI_DH_BASE(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy value */
			rv = copy_bigint(KEY_PRI_DH_VALUE(pbk),
			    KEY_PRI_DH_VALUE(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		case CKK_EC:
			(void) memcpy(KEY_PRI_EC(pbk),
			    KEY_PRI_EC(old_pri_key_obj_p),
			    sizeof (ec_pri_key_t));

			/* copy value */
			rv = copy_bigint(KEY_PRI_EC_VALUE(pbk),
			    KEY_PRI_EC_VALUE(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		case CKK_X9_42_DH:
			(void) memcpy(KEY_PRI_DH942(pbk),
			    KEY_PRI_DH942(old_pri_key_obj_p),
			    sizeof (dh942_pri_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_PRI_DH942_PRIME(pbk),
			    KEY_PRI_DH942_PRIME(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy subprime */
			rv = copy_bigint(KEY_PRI_DH942_SUBPRIME(pbk),
			    KEY_PRI_DH942_SUBPRIME(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_PRI_DH942_BASE(pbk),
			    KEY_PRI_DH942_BASE(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}

			/* copy value */
			rv = copy_bigint(KEY_PRI_DH942_VALUE(pbk),
			    KEY_PRI_DH942_VALUE(old_pri_key_obj_p));
			if (rv != CKR_OK) {
				free_private_key_attr(pbk, key_type);
				return (rv);
			}
			break;
		default:
			break;
	}
	*new_pri_key_obj_p = pbk;
	return (rv);
}

static void
free_domain_attr(domain_obj_t *domain, CK_KEY_TYPE key_type)
{
	if (domain == NULL) {
		return;
	}

	switch (key_type) {
		case CKK_DSA:
			bigint_attr_cleanup(KEY_DOM_DSA_PRIME(domain));
			bigint_attr_cleanup(KEY_DOM_DSA_SUBPRIME(domain));
			bigint_attr_cleanup(KEY_DOM_DSA_BASE(domain));
			break;
		case CKK_DH:
			bigint_attr_cleanup(KEY_DOM_DH_PRIME(domain));
			bigint_attr_cleanup(KEY_DOM_DH_BASE(domain));
			break;
		case CKK_X9_42_DH:
			bigint_attr_cleanup(KEY_DOM_DH942_PRIME(domain));
			bigint_attr_cleanup(KEY_DOM_DH942_SUBPRIME(domain));
			bigint_attr_cleanup(KEY_DOM_DH942_BASE(domain));
			break;
		default:
			break;
	}
	free(domain);
}

CK_RV
soft_copy_domain_attr(domain_obj_t *old_domain_obj_p,
    domain_obj_t **new_domain_obj_p, CK_KEY_TYPE key_type)
{
	CK_RV rv = CKR_OK;
	domain_obj_t *domain;

	domain = calloc(1, sizeof (domain_obj_t));
	if (domain == NULL) {
		return (CKR_HOST_MEMORY);
	}

	switch (key_type) {
		case CKK_DSA:
			(void) memcpy(KEY_DOM_DSA(domain),
			    KEY_DOM_DSA(old_domain_obj_p),
			    sizeof (dsa_dom_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_DOM_DSA_PRIME(domain),
			    KEY_DOM_DSA_PRIME(old_domain_obj_p));
			if (rv != CKR_OK) {
				free_domain_attr(domain, key_type);
				return (rv);
			}

			/* copy subprime */
			rv = copy_bigint(KEY_DOM_DSA_SUBPRIME(domain),
			    KEY_DOM_DSA_SUBPRIME(old_domain_obj_p));
			if (rv != CKR_OK) {
				free_domain_attr(domain, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_DOM_DSA_BASE(domain),
			    KEY_DOM_DSA_BASE(old_domain_obj_p));
			if (rv != CKR_OK) {
				free_domain_attr(domain, key_type);
				return (rv);
			}

			break;
		case CKK_DH:
			(void) memcpy(KEY_DOM_DH(domain),
			    KEY_DOM_DH(old_domain_obj_p),
			    sizeof (dh_dom_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_DOM_DH_PRIME(domain),
			    KEY_DOM_DH_PRIME(old_domain_obj_p));
			if (rv != CKR_OK) {
				free_domain_attr(domain, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_DOM_DH_BASE(domain),
			    KEY_DOM_DH_BASE(old_domain_obj_p));
			if (rv != CKR_OK) {
				free_domain_attr(domain, key_type);
				return (rv);
			}

			break;
		case CKK_X9_42_DH:
			(void) memcpy(KEY_DOM_DH942(domain),
			    KEY_DOM_DH942(old_domain_obj_p),
			    sizeof (dh942_dom_key_t));

			/* copy prime */
			rv = copy_bigint(KEY_DOM_DH942_PRIME(domain),
			    KEY_DOM_DH942_PRIME(old_domain_obj_p));
			if (rv != CKR_OK) {
				free_domain_attr(domain, key_type);
				return (rv);
			}

			/* copy subprime */
			rv = copy_bigint(KEY_DOM_DH942_SUBPRIME(domain),
			    KEY_DOM_DH942_SUBPRIME(old_domain_obj_p));
			if (rv != CKR_OK) {
				free_domain_attr(domain, key_type);
				return (rv);
			}

			/* copy base */
			rv = copy_bigint(KEY_DOM_DH942_BASE(domain),
			    KEY_DOM_DH942_BASE(old_domain_obj_p));
			if (rv != CKR_OK) {
				free_domain_attr(domain, key_type);
				return (rv);
			}

			break;
		default:
			break;
	}
	*new_domain_obj_p = domain;
	return (rv);
}

CK_RV
soft_copy_secret_key_attr(secret_key_obj_t *old_secret_key_obj_p,
    secret_key_obj_t **new_secret_key_obj_p)
{
	secret_key_obj_t *sk;

	sk = malloc(sizeof (secret_key_obj_t));
	if (sk == NULL) {
		return (CKR_HOST_MEMORY);
	}
	(void) memcpy(sk, old_secret_key_obj_p, sizeof (secret_key_obj_t));

	/* copy the secret key value */
	sk->sk_value = malloc(sk->sk_value_len);
	if (sk->sk_value == NULL) {
		free(sk);
		return (CKR_HOST_MEMORY);
	}
	(void) memcpy(sk->sk_value, old_secret_key_obj_p->sk_value,
	    (sizeof (CK_BYTE) * sk->sk_value_len));

	/*
	 * Copy the pre-expanded key schedule.
	 */
	if (old_secret_key_obj_p->key_sched != NULL &&
	    old_secret_key_obj_p->keysched_len > 0) {
		sk->key_sched = malloc(old_secret_key_obj_p->keysched_len);
		if (sk->key_sched == NULL) {
			freezero(sk->sk_value, sk->sk_value_len);
			free(sk);
			return (CKR_HOST_MEMORY);
		}
		sk->keysched_len = old_secret_key_obj_p->keysched_len;
		(void) memcpy(sk->key_sched, old_secret_key_obj_p->key_sched,
		    sk->keysched_len);
	}

	*new_secret_key_obj_p = sk;

	return (CKR_OK);
}

/*
 * If CKA_CLASS not given, guess CKA_CLASS using
 * attributes on template .
 *
 * Some attributes are specific to an object class.  If one or more
 * of these attributes are in the template, make a list of classes
 * that can have these attributes.  This would speed up the search later,
 * because we can immediately skip an object if the class of that
 * object can not possibly contain one of the attributes.
 *
 */
void
soft_process_find_attr(CK_OBJECT_CLASS *pclasses,
    CK_ULONG *num_result_pclasses, CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulCount)
{
	ulong_t i;
	int j;
	boolean_t pub_found = B_FALSE,
	    priv_found = B_FALSE,
	    secret_found = B_FALSE,
	    domain_found = B_FALSE,
	    hardware_found = B_FALSE,
	    cert_found = B_FALSE;
	int num_pub_key_attrs, num_priv_key_attrs,
	    num_secret_key_attrs, num_domain_attrs,
	    num_hardware_attrs, num_cert_attrs;
	int num_pclasses = 0;

	for (i = 0; i < ulCount; i++) {
		if (pTemplate[i].type == CKA_CLASS) {
			/*
			 * don't need to guess the class, it is specified.
			 * Just record the class, and return.
			 */
			pclasses[0] =
			    (*((CK_OBJECT_CLASS *)pTemplate[i].pValue));
			*num_result_pclasses = 1;
			return;
		}
	}

	num_pub_key_attrs =
	    sizeof (PUB_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
	num_priv_key_attrs =
	    sizeof (PRIV_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
	num_secret_key_attrs =
	    sizeof (SECRET_KEY_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
	num_domain_attrs =
	    sizeof (DOMAIN_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
	num_hardware_attrs =
	    sizeof (HARDWARE_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);
	num_cert_attrs =
	    sizeof (CERT_ATTRS) / sizeof (CK_ATTRIBUTE_TYPE);

	/*
	 * Get the list of objects class that might contain
	 * some attributes.
	 */
	for (i = 0; i < ulCount; i++) {
		/*
		 * only check if this attribute can belong to public key object
		 * class if public key object isn't already in the list
		 */
		if (!pub_found) {
			for (j = 0; j < num_pub_key_attrs; j++) {
				if (pTemplate[i].type == PUB_KEY_ATTRS[j]) {
					pub_found = B_TRUE;
					pclasses[num_pclasses++] =
					    CKO_PUBLIC_KEY;
					break;
				}
			}
		}

		if (!priv_found) {
			for (j = 0; j < num_priv_key_attrs; j++) {
				if (pTemplate[i].type == PRIV_KEY_ATTRS[j]) {
					priv_found = B_TRUE;
					pclasses[num_pclasses++] =
					    CKO_PRIVATE_KEY;
					break;
				}
			}
		}

		if (!secret_found) {
			for (j = 0; j < num_secret_key_attrs; j++) {
				if (pTemplate[i].type == SECRET_KEY_ATTRS[j]) {
					secret_found = B_TRUE;
					pclasses[num_pclasses++] =
					    CKO_SECRET_KEY;
					break;
				}
			}
		}

		if (!domain_found) {
			for (j = 0; j < num_domain_attrs; j++) {
				if (pTemplate[i].type == DOMAIN_ATTRS[j]) {
					domain_found = B_TRUE;
					pclasses[num_pclasses++] =
					    CKO_DOMAIN_PARAMETERS;
					break;
				}
			}
		}

		if (!hardware_found) {
			for (j = 0; j < num_hardware_attrs; j++) {
				if (pTemplate[i].type == HARDWARE_ATTRS[j]) {
					hardware_found = B_TRUE;
					pclasses[num_pclasses++] =
					    CKO_HW_FEATURE;
					break;
				}
			}
		}

		if (!cert_found) {
			for (j = 0; j < num_cert_attrs; j++) {
				if (pTemplate[i].type == CERT_ATTRS[j]) {
					cert_found = B_TRUE;
					pclasses[num_pclasses++] =
					    CKO_CERTIFICATE;
					break;
				}
			}
		}
	}
	*num_result_pclasses = num_pclasses;
}

boolean_t
soft_find_match_attrs(soft_object_t *obj, CK_OBJECT_CLASS *pclasses,
    CK_ULONG num_pclasses, CK_ATTRIBUTE *template, CK_ULONG num_attr)
{
	ulong_t i;
	CK_ATTRIBUTE *tmpl_attr, *obj_attr;
	cert_attr_t *cert_attr;
	uint64_t attr_mask;
	biginteger_t *bigint;
	boolean_t compare_attr, compare_bigint, compare_boolean;
	boolean_t compare_cert_val, compare_cert_type;

	/*
	 * Check if the class of this object match with any
	 * of object classes that can possibly contain the
	 * requested attributes.
	 */
	if (num_pclasses > 0) {
		for (i = 0; i < num_pclasses; i++) {
			if (obj->class == pclasses[i]) {
				break;
			}
		}
		if (i == num_pclasses) {
			/*
			 * this object can't possibly contain one or
			 * more attributes, don't need to check this object
			 */
			return (B_FALSE);
		}
	}

	/* need to examine everything */
	for (i = 0; i < num_attr; i++) {
		tmpl_attr = &(template[i]);
		compare_attr = B_FALSE;
		compare_bigint = B_FALSE;
		compare_boolean = B_FALSE;
		compare_cert_val = B_FALSE;
		compare_cert_type = B_FALSE;
		switch (tmpl_attr->type) {
		/* First, check the most common attributes */
		case CKA_CLASS:
			if (*((CK_OBJECT_CLASS *)tmpl_attr->pValue) !=
			    obj->class) {
				return (B_FALSE);
			}
			break;
		case CKA_KEY_TYPE:
			if (*((CK_KEY_TYPE *)tmpl_attr->pValue) !=
			    obj->key_type) {
				return (B_FALSE);
			}
			break;
		case CKA_ENCRYPT:
			attr_mask = (obj->bool_attr_mask) & ENCRYPT_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_DECRYPT:
			attr_mask = (obj->bool_attr_mask) & DECRYPT_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_WRAP:
			attr_mask = (obj->bool_attr_mask) & WRAP_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_UNWRAP:
			attr_mask = (obj->bool_attr_mask) & UNWRAP_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_SIGN:
			attr_mask = (obj->bool_attr_mask) & SIGN_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_SIGN_RECOVER:
			attr_mask = (obj->bool_attr_mask) &
			    SIGN_RECOVER_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_VERIFY:
			attr_mask = (obj->bool_attr_mask) & VERIFY_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_VERIFY_RECOVER:
			attr_mask = (obj->bool_attr_mask) &
			    VERIFY_RECOVER_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_DERIVE:
			attr_mask = (obj->bool_attr_mask) & DERIVE_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_LOCAL:
			attr_mask = (obj->bool_attr_mask) & LOCAL_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_SENSITIVE:
			attr_mask = (obj->bool_attr_mask) & SENSITIVE_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_SECONDARY_AUTH:
			attr_mask = (obj->bool_attr_mask) &
			    SECONDARY_AUTH_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_TRUSTED:
			attr_mask = (obj->bool_attr_mask) & TRUSTED_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_EXTRACTABLE:
			attr_mask = (obj->bool_attr_mask) &
			    EXTRACTABLE_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_ALWAYS_SENSITIVE:
			attr_mask = (obj->bool_attr_mask) &
			    ALWAYS_SENSITIVE_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_NEVER_EXTRACTABLE:
			attr_mask = (obj->bool_attr_mask) &
			    NEVER_EXTRACTABLE_BOOL_ON;
			compare_boolean = B_TRUE;
			break;
		case CKA_TOKEN:
			attr_mask = (obj->object_type) & TOKEN_OBJECT;
			compare_boolean = B_TRUE;
			break;
		case CKA_PRIVATE:
			attr_mask = (obj->object_type) & PRIVATE_OBJECT;
			compare_boolean = B_TRUE;
			break;
		case CKA_MODIFIABLE:
		{
			CK_BBOOL bval;
			attr_mask = (obj->bool_attr_mask) &
			    NOT_MODIFIABLE_BOOL_ON;

			if (attr_mask) {
				bval = FALSE;
			} else {
				bval = TRUE;
			}
			if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) {
				return (B_FALSE);
			}
			break;
		}
		case CKA_OWNER:
			/*
			 * For X.509 attribute certificate object, get its
			 * CKA_OWNER attribute from the x509_attr_cert_t struct.
			 */
			if ((obj->class == CKO_CERTIFICATE) &&
			    (obj->cert_type == CKC_X_509_ATTR_CERT)) {
				cert_attr = X509_ATTR_CERT_OWNER(obj);
				compare_cert_val = B_TRUE;
			}
			break;
		case CKA_SUBJECT:
			/*
			 * For X.509 certificate object, get its CKA_SUBJECT
			 * attribute from the x509_cert_t struct (not from
			 * the extra_attrlistp).
			 */
			if ((obj->class == CKO_CERTIFICATE) &&
			    (obj->cert_type == CKC_X_509)) {
				cert_attr = X509_CERT_SUBJECT(obj);
				compare_cert_val = B_TRUE;
				break;
			}
			/*FALLTHRU*/
		case CKA_ID:
		case CKA_START_DATE:
		case CKA_END_DATE:
		case CKA_KEY_GEN_MECHANISM:
		case CKA_LABEL:
		case CKA_ISSUER:
		case CKA_SERIAL_NUMBER:
		case CKA_AC_ISSUER:
		case CKA_ATTR_TYPES:
			/* find these attributes from extra_attrlistp */
			obj_attr = get_extra_attr(tmpl_attr->type, obj);
			compare_attr = B_TRUE;
			break;
		case CKA_CERTIFICATE_TYPE:
			compare_cert_type = B_TRUE;
			break;
		case CKA_VALUE_LEN:
			/* only secret key has this attribute */
			if (obj->class == CKO_SECRET_KEY) {
				if (*((CK_ULONG *)tmpl_attr->pValue) !=
				    OBJ_SEC_VALUE_LEN(obj)) {
					return (B_FALSE);
				}
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_VALUE:
			switch (obj->class) {
			case CKO_SECRET_KEY:
				/*
				 * secret_key_obj_t is the same as
				 * biginteger_t
				 */
				bigint = (biginteger_t *)OBJ_SEC(obj);
				compare_bigint = B_TRUE;
				break;
			case CKO_PRIVATE_KEY:
				if (obj->key_type == CKK_DSA) {
					bigint = OBJ_PRI_DSA_VALUE(obj);
				} else if (obj->key_type == CKK_DH) {
					bigint = OBJ_PRI_DH_VALUE(obj);
				} else if (obj->key_type == CKK_X9_42_DH) {
					bigint = OBJ_PRI_DH942_VALUE(obj);
				} else {
					return (B_FALSE);
				}
				compare_bigint = B_TRUE;
				break;
			case CKO_PUBLIC_KEY:
				if (obj->key_type == CKK_DSA) {
					bigint = OBJ_PUB_DSA_VALUE(obj);
				} else if (obj->key_type == CKK_DH) {
					bigint = OBJ_PUB_DH_VALUE(obj);
				} else if (obj->key_type == CKK_X9_42_DH) {
					bigint = OBJ_PUB_DH942_VALUE(obj);
				} else {
					return (B_FALSE);
				}
				compare_bigint = B_TRUE;
				break;
			case CKO_CERTIFICATE:
				if (obj->cert_type == CKC_X_509) {
					cert_attr = X509_CERT_VALUE(obj);
				} else if (obj->cert_type ==
				    CKC_X_509_ATTR_CERT) {
					cert_attr = X509_ATTR_CERT_VALUE(obj);
				}
				compare_cert_val = B_TRUE;
				break;
			default:
				return (B_FALSE);
			}
			break;
		case CKA_MODULUS:
			/* only RSA public and private key have this attr */
			if (obj->key_type == CKK_RSA) {
				if (obj->class == CKO_PUBLIC_KEY) {
					bigint = OBJ_PUB_RSA_MOD(obj);
				} else if (obj->class == CKO_PRIVATE_KEY) {
					bigint = OBJ_PRI_RSA_MOD(obj);
				} else {
					return (B_FALSE);
				}
				compare_bigint = B_TRUE;
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_MODULUS_BITS:
			/* only RSA public key has this attribute */
			if ((obj->key_type == CKK_RSA) &&
			    (obj->class == CKO_PUBLIC_KEY)) {
				CK_ULONG mod_bits = OBJ_PUB_RSA_MOD_BITS(obj);
				if (mod_bits !=
				    *((CK_ULONG *)tmpl_attr->pValue)) {
					return (B_FALSE);
				}
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_PUBLIC_EXPONENT:
			/* only RSA public and private key have this attr */
			if (obj->key_type == CKK_RSA) {
				if (obj->class == CKO_PUBLIC_KEY) {
					bigint = OBJ_PUB_RSA_PUBEXPO(obj);
				} else if (obj->class == CKO_PRIVATE_KEY) {
					bigint = OBJ_PRI_RSA_PUBEXPO(obj);
				} else {
					return (B_FALSE);
				}
				compare_bigint = B_TRUE;
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_PRIVATE_EXPONENT:
			/* only RSA private key has this attribute */
			if ((obj->key_type == CKK_RSA) &&
			    (obj->class == CKO_PRIVATE_KEY)) {
				bigint = OBJ_PRI_RSA_PRIEXPO(obj);
				compare_bigint = B_TRUE;
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_PRIME_1:
			/* only RSA private key has this attribute */
			if ((obj->key_type == CKK_RSA) &&
			    (obj->class == CKO_PRIVATE_KEY)) {
				bigint = OBJ_PRI_RSA_PRIME1(obj);
				compare_bigint = B_TRUE;
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_PRIME_2:
			/* only RSA private key has this attribute */
			if ((obj->key_type == CKK_RSA) &&
			    (obj->class == CKO_PRIVATE_KEY)) {
				bigint = OBJ_PRI_RSA_PRIME2(obj);
				compare_bigint = B_TRUE;
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_EXPONENT_1:
			/* only RSA private key has this attribute */
			if ((obj->key_type == CKK_RSA) &&
			    (obj->class == CKO_PRIVATE_KEY)) {
				bigint = OBJ_PRI_RSA_EXPO1(obj);
				compare_bigint = B_TRUE;
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_EXPONENT_2:
			/* only RSA private key has this attribute */
			if ((obj->key_type == CKK_RSA) &&
			    (obj->class == CKO_PRIVATE_KEY)) {
				bigint = OBJ_PRI_RSA_EXPO2(obj);
				compare_bigint = B_TRUE;
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_COEFFICIENT:
			/* only RSA private key has this attribute */
			if ((obj->key_type == CKK_RSA) &&
			    (obj->class == CKO_PRIVATE_KEY)) {
				bigint = OBJ_PRI_RSA_COEF(obj);
				compare_bigint = B_TRUE;
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_VALUE_BITS:
			/* only Diffie-Hellman private key has this attr */
			if ((obj->key_type == CKK_DH) &&
			    (obj->class == CKO_PRIVATE_KEY)) {
				CK_ULONG val_bits = OBJ_PRI_DH_VAL_BITS(obj);
				if (val_bits !=
				    *((CK_ULONG *)tmpl_attr->pValue)) {
					return (B_FALSE);
				}
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_PRIME:
			if (obj->class == CKO_PUBLIC_KEY) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_PUB_DSA_PRIME(obj);
					break;
				case CKK_DH:
					bigint = OBJ_PUB_DH_PRIME(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_PUB_DH942_PRIME(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else if (obj->class == CKO_PRIVATE_KEY) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_PRI_DSA_PRIME(obj);
					break;
				case CKK_DH:
					bigint = OBJ_PRI_DH_PRIME(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_PRI_DH942_PRIME(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else if (obj->class == CKO_DOMAIN_PARAMETERS) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_DOM_DSA_PRIME(obj);
					break;
				case CKK_DH:
					bigint = OBJ_DOM_DH_PRIME(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_DOM_DH942_PRIME(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else {
				return (B_FALSE);
			}
			compare_bigint = B_TRUE;
			break;
		case CKA_SUBPRIME:
			if (obj->class == CKO_PUBLIC_KEY) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_PUB_DSA_SUBPRIME(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_PUB_DH942_SUBPRIME(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else if (obj->class == CKO_PRIVATE_KEY) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_PRI_DSA_SUBPRIME(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_PRI_DH942_SUBPRIME(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else if (obj->class == CKO_DOMAIN_PARAMETERS) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_DOM_DSA_SUBPRIME(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_DOM_DH942_SUBPRIME(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else {
				return (B_FALSE);
			}
			compare_bigint = B_TRUE;
			break;
		case CKA_BASE:
			if (obj->class == CKO_PUBLIC_KEY) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_PUB_DSA_BASE(obj);
					break;
				case CKK_DH:
					bigint = OBJ_PUB_DH_BASE(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_PUB_DH942_BASE(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else if (obj->class == CKO_PRIVATE_KEY) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_PRI_DSA_BASE(obj);
					break;
				case CKK_DH:
					bigint = OBJ_PRI_DH_BASE(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_PRI_DH942_BASE(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else if (obj->class == CKO_DOMAIN_PARAMETERS) {
				switch (obj->key_type) {
				case CKK_DSA:
					bigint = OBJ_DOM_DSA_BASE(obj);
					break;
				case CKK_DH:
					bigint = OBJ_DOM_DH_BASE(obj);
					break;
				case CKK_X9_42_DH:
					bigint = OBJ_DOM_DH942_BASE(obj);
					break;
				default:
					return (B_FALSE);
				}
			} else {
				return (B_FALSE);
			}
			compare_bigint = B_TRUE;
			break;
		case CKA_PRIME_BITS:
			if (obj->class == CKO_DOMAIN_PARAMETERS) {
				CK_ULONG prime_bits;
				if (obj->key_type == CKK_DSA) {
					prime_bits =
					    OBJ_DOM_DSA_PRIME_BITS(obj);
				} else if (obj->key_type == CKK_DH) {
					prime_bits =
					    OBJ_DOM_DH_PRIME_BITS(obj);
				} else if (obj->key_type == CKK_X9_42_DH) {
					prime_bits =
					    OBJ_DOM_DH942_PRIME_BITS(obj);
				} else {
					return (B_FALSE);
				}
				if (prime_bits !=
				    *((CK_ULONG *)tmpl_attr->pValue)) {
					return (B_FALSE);
				}
			} else {
				return (B_FALSE);
			}
			break;
		case CKA_SUBPRIME_BITS:
			if ((obj->class == CKO_DOMAIN_PARAMETERS) &&
			    (obj->key_type == CKK_X9_42_DH)) {
				CK_ULONG subprime_bits =
				    OBJ_DOM_DH942_SUBPRIME_BITS(obj);
				if (subprime_bits !=
				    *((CK_ULONG *)tmpl_attr->pValue)) {
					return (B_FALSE);
				}
			} else {
				return (B_FALSE);
			}
			break;
		default:
			/*
			 * any other attributes are currently not supported.
			 * so, it's not possible for them to be in the
			 * object
			 */
			return (B_FALSE);
		}
		if (compare_boolean) {
			CK_BBOOL bval;

			if (attr_mask) {
				bval = TRUE;
			} else {
				bval = FALSE;
			}
			if (bval != *((CK_BBOOL *)tmpl_attr->pValue)) {
				return (B_FALSE);
			}
		} else if (compare_bigint) {
			if (bigint == NULL) {
				return (B_FALSE);
			}
			if (tmpl_attr->ulValueLen != bigint->big_value_len) {
				return (B_FALSE);
			}
			if (memcmp(tmpl_attr->pValue, bigint->big_value,
			    tmpl_attr->ulValueLen) != 0) {
				return (B_FALSE);
			}
		} else if (compare_attr) {
			if (obj_attr == NULL) {
				/*
				 * The attribute type is valid, and its value
				 * has not been initialized in the object. In
				 * this case, it only matches the template's
				 * attribute if the template's value length
				 * is 0.
				 */
				if (tmpl_attr->ulValueLen != 0)
					return (B_FALSE);
			} else {
				if (tmpl_attr->ulValueLen !=
				    obj_attr->ulValueLen) {
					return (B_FALSE);
				}
				if (memcmp(tmpl_attr->pValue, obj_attr->pValue,
				    tmpl_attr->ulValueLen) != 0) {
					return (B_FALSE);
				}
			}
		} else if (compare_cert_val) {
			if (cert_attr == NULL) {
				/* specific attribute not found */
				return (B_FALSE);
			}
			if (tmpl_attr->ulValueLen != cert_attr->length) {
				return (B_FALSE);
			}
			if (memcmp(tmpl_attr->pValue, cert_attr->value,
			    tmpl_attr->ulValueLen) != 0) {
				return (B_FALSE);
			}
		} else if (compare_cert_type) {
			if (memcmp(tmpl_attr->pValue, &(obj->cert_type),
			    tmpl_attr->ulValueLen) != 0) {
				return (B_FALSE);
			}
		}
	}
	return (B_TRUE);
}

CK_ATTRIBUTE_PTR
get_extra_attr(CK_ATTRIBUTE_TYPE type, soft_object_t *obj)
{
	CK_ATTRIBUTE_INFO_PTR tmp;

	tmp = obj->extra_attrlistp;
	while (tmp != NULL) {
		if (tmp->attr.type == type) {
			return (&(tmp->attr));
		}
		tmp = tmp->next;
	}
	/* if get there, the specified attribute is not found */
	return (NULL);
}