From b2ee72d7b4c771f1241051fb20f994854841a52c Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Mon, 4 Sep 2023 15:20:38 +0200
Subject: [PATCH] Add command to generate keypair on a PKCS#11 token

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 bash-completion/p11-kit    |   2 +-
 common/compat.c            |  10 +
 common/compat.h            |  13 +-
 doc/manual/p11-kit.xml     |  36 ++++
 p11-kit/Makefile.am        |   2 +
 p11-kit/generate-keypair.c | 402 +++++++++++++++++++++++++++++++++++++
 p11-kit/meson.build        |   1 +
 p11-kit/p11-kit.c          |  44 ++--
 po/POTFILES.in             |   1 +
 9 files changed, 485 insertions(+), 26 deletions(-)
 create mode 100644 p11-kit/generate-keypair.c

diff --git a/bash-completion/p11-kit b/bash-completion/p11-kit
index 550fbdbf8..00dd694c2 100644
--- a/bash-completion/p11-kit
+++ b/bash-completion/p11-kit
@@ -10,7 +10,7 @@ _p11-kit()
         COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
         return
     elif [[ $cword -eq 1 ]]; then
-        local commands='export-object delete-object list-objects add-profile delete-profile list-profiles list-modules print-config extract server remote'
+        local commands='generate-keypair export-object delete-object list-objects add-profile delete-profile list-profiles list-modules print-config extract server remote'
         COMPREPLY=( $(compgen -W "$commands" -- "$cur") )
     fi
 } &&
diff --git a/common/compat.c b/common/compat.c
index 4e0c89c15..3bdf05a16 100644
--- a/common/compat.c
+++ b/common/compat.c
@@ -1051,3 +1051,13 @@ p11_ascii_toupper (int c)
 		return 'A' + (c - 'a');
 	return c;
 }
+
+bool
+p11_ascii_strcaseeq (const char *s1,
+		     const char *s2)
+{
+	while (p11_ascii_tolower (*s1) == p11_ascii_tolower (*s2++))
+		if (*s1++ == '\0')
+			return true;
+	return !(p11_ascii_tolower (*s1) - p11_ascii_tolower (*--s2));
+}
diff --git a/common/compat.h b/common/compat.h
index 643e7c8a4..14092b0b5 100644
--- a/common/compat.h
+++ b/common/compat.h
@@ -394,11 +394,14 @@ int        isatty           (int fd);
 
 #endif
 
-void       p11_strerror_r    (int errnum,
-                              char *buf,
-                              size_t buflen);
+void       p11_strerror_r      (int errnum,
+                                char *buf,
+                                size_t buflen);
 
-int        p11_ascii_tolower (int c);
-int        p11_ascii_toupper (int c);
+int        p11_ascii_tolower   (int c);
+int        p11_ascii_toupper   (int c);
+
+bool       p11_ascii_strcaseeq (const char *s1,
+                                const char *s2);
 
 #endif /* __COMPAT_H__ */
diff --git a/doc/manual/p11-kit.xml b/doc/manual/p11-kit.xml
index 42e1336b3..701a5741a 100644
--- a/doc/manual/p11-kit.xml
+++ b/doc/manual/p11-kit.xml
@@ -41,6 +41,12 @@
 	<cmdsynopsis>
 		<command>p11-kit delete-object</command> ...
 	</cmdsynopsis>
+	<cmdsynopsis>
+		<command>p11-kit generate-keypair</command>
+			<arg choice="plain">--label=&lt;label&gt;</arg>
+			<arg choice="plain">--type=&lt;algorithm&gt;</arg>
+			<arg choice="plain">--bits=&lt;n&gt;</arg> pkcs11:token
+	</cmdsynopsis>
 	<cmdsynopsis>
 		<command>p11-kit list-profiles</command> ...
 	</cmdsynopsis>
@@ -140,6 +146,36 @@ $ p11-kit delete-object pkcs11:token
 
 </refsect1>
 
+<refsect1 id="p11-kit-generate-keypair">
+	<title>Generate Key-pair</title>
+
+	<para>Generate key-pair on a PKCS#11 token.</para>
+
+<programlisting>
+$ p11-kit generate-keypair --label=label --type=algorithm --bits=n pkcs11:token
+</programlisting>
+
+	<para>Generate private-public key-pair of given type on a specified token.
+	Should be used together with --type and --bits options.</para>
+
+	<variablelist>
+		<varlistentry>
+			<term><option>--label=&lt;label&gt;</option></term>
+			<listitem><para>Adds a label to the generated key-pair objects.</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term><option>--type=&lt;algorithm&gt;</option></term>
+			<listitem><para>Specify the type of keys to generate.
+			Supported values are RSA, ECDSA, Ed25519</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term><option>--bits=&lt;n&gt;</option></term>
+			<listitem><para>Specify the number of bits for the key-pair generation.</para></listitem>
+		</varlistentry>
+	</variablelist>
+
+</refsect1>
+
 <refsect1 id="p11-kit-list-profiles">
 	<title>List Profiles</title>
 
diff --git a/p11-kit/Makefile.am b/p11-kit/Makefile.am
index 8926fcb77..3714c4a77 100644
--- a/p11-kit/Makefile.am
+++ b/p11-kit/Makefile.am
@@ -267,6 +267,7 @@ p11_kit_p11_kit_SOURCES = \
 	p11-kit/delete-object.c \
 	p11-kit/delete-profile.c \
 	p11-kit/export-object.c \
+	p11-kit/generate-keypair.c \
 	p11-kit/list-objects.c \
 	p11-kit/list-profiles.c \
 	p11-kit/lists.c \
@@ -292,6 +293,7 @@ p11_kit_p11_kit_testable_SOURCES = \
 	p11-kit/delete-object.c \
 	p11-kit/delete-profile.c \
 	p11-kit/export-object.c \
+	p11-kit/generate-keypair.c \
 	p11-kit/list-objects.c \
 	p11-kit/list-profiles.c \
 	p11-kit/lists.c \
diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c
new file mode 100644
index 000000000..877314def
--- /dev/null
+++ b/p11-kit/generate-keypair.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (c) 2023, Red Hat Inc.
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Zoltan Fridrich <zfridric@redhat.com>
+ */
+
+#include "config.h"
+
+#include "attrs.h"
+#include "compat.h"
+#include "debug.h"
+#include "iter.h"
+#include "message.h"
+#include "mock.h"
+#include "tool.h"
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef ENABLE_NLS
+#include <libintl.h>
+#define _(x) dgettext(PACKAGE_NAME, x)
+#else
+#define _(x) (x)
+#endif
+
+#define cleanup_if_fail(X, S)          \
+	do { if (X) { } else {         \
+		p11_message (_(S));    \
+		goto cleanup;          \
+	} } while (false)
+
+#define cleanup_if_fail_rv(X, S, R)    \
+	do { if (X) { } else {         \
+		p11_message (_(S), R); \
+		goto cleanup;          \
+	} } while (false)
+
+const CK_BBOOL TVAL = CK_TRUE;
+const CK_BBOOL FVAL = CK_FALSE;
+
+int
+p11_kit_generate_keypair (int argc,
+			  char *argv[]);
+
+static bool
+get_mechanism (CK_MECHANISM *m,
+	       const char *type)
+{
+	if (p11_ascii_strcaseeq (type, "MOCK")) {
+		m->mechanism = CKM_MOCK_GENERATE;
+		m->pParameter = "generate";
+		m->ulParameterLen = 9;
+		return true;
+	}
+
+	if (p11_ascii_strcaseeq (type, "RSA"))
+		m->mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+	else if (p11_ascii_strcaseeq (type, "ECDSA"))
+		m->mechanism = CKM_ECDSA_KEY_PAIR_GEN;
+	else if (p11_ascii_strcaseeq (type, "Ed25519"))
+		m->mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN;
+	else
+		return false;
+
+	m->pParameter = NULL_PTR;
+	m->ulParameterLen = 0;
+
+	return true;
+}
+
+static const char *
+get_curve (const char *curve)
+{
+	if (p11_ascii_strcaseeq (curve, "SECP256R1"))
+		return "\x13\x09secp256r1";
+	else if (p11_ascii_strcaseeq (curve, "SECP384R1"))
+		return "\x13\x09secp384r1";
+	else if (p11_ascii_strcaseeq (curve, "SECP521R1"))
+		return "\x13\x09secp521r1";
+	return NULL;
+}
+
+static bool
+check_args (CK_MECHANISM_TYPE type,
+	    CK_ULONG bits,
+	    const char *curve)
+{
+	if (type == CKA_INVALID) {
+		p11_message (_("no type specified"));
+		return false;
+	}
+
+	switch (type) {
+        case CKM_MOCK_GENERATE:
+                break;
+	case CKM_RSA_PKCS_KEY_PAIR_GEN:
+		if (bits == 0) {
+			p11_message (_("no bits specified"));
+			return false;
+		}
+		break;
+	case CKM_ECDSA_KEY_PAIR_GEN:
+	case CKM_EC_EDWARDS_KEY_PAIR_GEN:
+		if (curve == NULL) {
+			p11_message (_("no curve specified"));
+			return false;
+		}
+		break;
+	default:
+		p11_message (_("unkwnown mechanism type in %s"), __func__);
+		return false;
+	}
+
+	if (bits != 0 && curve != NULL) {
+		p11_message (_("both bits and curve cannot be specified at once"));
+		return false;
+	}
+
+	return true;
+}
+
+static bool
+get_templates (const char *label,
+	       CK_MECHANISM_TYPE type,
+	       const CK_ULONG *bits,
+	       const char *curve,
+	       CK_ATTRIBUTE *pubkey,
+	       CK_ULONG *pubkey_len,
+	       CK_ATTRIBUTE *privkey,
+	       CK_ULONG *privkey_len)
+{
+	int i = 0, j = 0;
+
+	if (label != NULL) {
+		pubkey[i].type = privkey[j].type = CKA_LABEL;
+		pubkey[i].pValue = privkey[j].pValue = (void *)label;
+		pubkey[i].ulValueLen = privkey[j].ulValueLen = strlen (label);
+		++i; ++j;
+	}
+
+	pubkey[i].type = privkey[j].type = CKA_TOKEN;
+	pubkey[i].pValue = privkey[j].pValue = (void *)&TVAL;
+	pubkey[i].ulValueLen = privkey[j].ulValueLen = sizeof (TVAL);
+	++i; ++j;
+
+	pubkey[i].type = privkey[j].type = CKA_PRIVATE;
+	pubkey[i].pValue = (void *)&FVAL; privkey[j].pValue = (void *)&TVAL;
+	pubkey[i].ulValueLen = privkey[j].ulValueLen = sizeof (TVAL);
+	++i; ++j;
+
+	privkey[j].type = CKA_SIGN;
+	privkey[j].pValue = (void *)&TVAL;
+	privkey[j].ulValueLen = sizeof (TVAL);
+	++j;
+
+	pubkey[i].type = CKA_VERIFY;
+	pubkey[i].pValue = (void *)&TVAL;
+	pubkey[i].ulValueLen = sizeof (TVAL);
+	++i;
+
+	switch (type) {
+        case CKM_MOCK_GENERATE:
+                break;
+	case CKM_RSA_PKCS_KEY_PAIR_GEN:
+		privkey[j].type = CKA_DECRYPT;
+		privkey[j].pValue = (void *)&TVAL;
+		privkey[j].ulValueLen = sizeof (TVAL);
+		++j;
+
+		pubkey[i].type = CKA_ENCRYPT;
+		pubkey[i].pValue = (void *)&TVAL;
+		pubkey[i].ulValueLen = sizeof (TVAL);
+		++i;
+
+		pubkey[i].type = CKA_MODULUS_BITS;
+		pubkey[i].pValue = (void *)bits;
+		pubkey[i].ulValueLen = sizeof (*bits);
+		++i;
+		break;
+	case CKM_ECDSA_KEY_PAIR_GEN:
+		pubkey[i].type = CKA_EC_PARAMS;
+		pubkey[i].pValue = (void *)curve;
+		pubkey[i].ulValueLen = strlen (curve);
+		++i;
+		break;
+	case CKM_EC_EDWARDS_KEY_PAIR_GEN:
+		pubkey[i].type = CKA_EC_PARAMS;
+		pubkey[i].pValue = (void *)curve;
+		pubkey[i].ulValueLen = strlen (curve);
+		++i;
+		break;
+	default:
+		return false;
+	}
+
+	*pubkey_len = i;
+	*privkey_len = j;
+
+	return true;
+}
+
+static int
+generate_keypair (const char *token_str,
+		  const char *label,
+		  CK_MECHANISM *mechanism,
+		  CK_ULONG bits,
+		  const char *curve)
+{
+	int rvi, ret = 1;
+	bool rvb;
+	CK_RV rv;
+	const char *pin = NULL;
+	P11KitUri *uri = NULL;
+	P11KitIter *iter = NULL;
+	CK_FUNCTION_LIST **modules = NULL;
+	CK_FUNCTION_LIST *module = NULL;
+	CK_SESSION_HANDLE session = 0;
+	CK_SLOT_ID slot = 0;
+	CK_OBJECT_HANDLE pubkey_obj, privkey_obj;
+	CK_ATTRIBUTE pubkey[16], privkey[16];
+	CK_ULONG pubkey_len, privkey_len;
+
+	rvb = get_templates (label, mechanism->mechanism, &bits, curve,
+			     pubkey, &pubkey_len, privkey, &privkey_len);
+	cleanup_if_fail (rvb, "failed to create key templates");
+
+	uri = p11_kit_uri_new ();
+	cleanup_if_fail (uri != NULL, "failed to allocate memory for URI");
+
+	rvi = p11_kit_uri_parse (token_str, P11_KIT_URI_FOR_TOKEN, uri);
+	cleanup_if_fail (rvi == P11_KIT_URI_OK, "failed to parse the token URI");
+
+	modules = p11_kit_modules_load_and_initialize (0);
+	cleanup_if_fail (modules != NULL, "failed to load and initialize modules");
+
+	iter = p11_kit_iter_new (uri, P11_KIT_ITER_WITH_TOKENS | P11_KIT_ITER_WITHOUT_OBJECTS);
+	cleanup_if_fail (iter != NULL, "failed to initialize iterator");
+
+	p11_kit_iter_begin (iter, modules);
+	rv = p11_kit_iter_next (iter);
+	cleanup_if_fail_rv (rv == CKR_OK, "failed to find the token: %s", p11_kit_strerror (rv));
+
+	module = p11_kit_iter_get_module (iter);
+	cleanup_if_fail (module != NULL, "failed to obtain module");
+
+	slot = p11_kit_iter_get_slot (iter);
+	cleanup_if_fail (slot != 0, "failed to obtain slot");
+
+	rv = module->C_OpenSession (slot, CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session);
+	cleanup_if_fail_rv (rv == CKR_OK, "failed to open session: %s", p11_kit_strerror (rv));
+
+	pin = p11_kit_uri_get_pin_value (uri);
+	if (pin != NULL) {
+		rv = module->C_Login (session, CKU_USER, (unsigned char *)pin, strlen (pin));
+		cleanup_if_fail_rv (rv == CKR_OK, "failed to login: %s", p11_kit_strerror (rv));
+	}
+
+	rv = module->C_GenerateKeyPair (session, mechanism, pubkey, pubkey_len,
+					privkey, privkey_len, &pubkey_obj, &privkey_obj);
+	cleanup_if_fail_rv (rv == CKR_OK, "key-pair generation failed: %s", p11_kit_strerror (rv));
+
+	ret = 0;
+
+cleanup:
+	if (session != 0)
+		module->C_CloseSession (session);
+	p11_kit_iter_free (iter);
+	p11_kit_uri_free (uri);
+	if (modules != NULL)
+		p11_kit_modules_finalize_and_release (modules);
+
+	return ret;
+}
+
+int
+p11_kit_generate_keypair (int argc,
+			  char *argv[])
+{
+	int opt, ret = 2;
+	bool ok;
+	char *label = NULL;
+	const char *curve = NULL;
+	CK_ULONG bits = 0;
+	CK_MECHANISM mechanism = { CKA_INVALID, NULL_PTR, 0 };
+
+	enum {
+		opt_verbose = 'v',
+		opt_quiet = 'q',
+		opt_help = 'h',
+		opt_label = 'l',
+		opt_type = 't',
+		opt_bits = 'b',
+		opt_curve = 'c',
+	};
+
+	struct option options[] = {
+		{ "verbose", no_argument, NULL, opt_verbose },
+		{ "quiet", no_argument, NULL, opt_quiet },
+		{ "help", no_argument, NULL, opt_help },
+		{ "label", required_argument, NULL, opt_label },
+		{ "type", required_argument, NULL, opt_type },
+		{ "bits", required_argument, NULL, opt_bits },
+		{ "curve", required_argument, NULL, opt_curve },
+		{ 0 },
+	};
+
+	p11_tool_desc usages[] = {
+		{ 0, "usage: p11-kit generate-keypair [--label=<label>]"
+		     " --type=<algorithm> {--bits=<n>|--curve=<curve>} pkcs11:token" },
+		{ opt_label, "label to be associated with the generated key objects" },
+		{ opt_type, "type of keys to generate" },
+		{ opt_bits, "number of bits for the key generation" },
+		{ opt_curve, "curve for the key generation" },
+		{ 0 },
+	};
+
+	while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
+		switch (opt) {
+		case opt_label:
+			label = strdup (optarg);
+			cleanup_if_fail (label != NULL, "failed to allocate memory");
+			break;
+		case opt_type:
+			ok = get_mechanism (&mechanism, optarg);
+			cleanup_if_fail_rv (ok, "unknown mechanism type: %s", optarg);
+			break;
+		case opt_bits:
+			bits = strtol (optarg, NULL, 10);
+			cleanup_if_fail_rv (bits != 0, "failed to parse bits value: %s", optarg);
+			break;
+		case opt_curve:
+			curve = get_curve (optarg);
+			cleanup_if_fail_rv (curve != NULL, "unknown curve name: %s", optarg);
+			break;
+		case opt_verbose:
+			p11_kit_be_loud ();
+			break;
+		case opt_quiet:
+			p11_kit_be_quiet ();
+			break;
+		case opt_help:
+			p11_tool_usage (usages, options);
+			ret = 0;
+			goto cleanup;
+		case '?':
+			goto cleanup;
+		default:
+			assert_not_reached ();
+			break;
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc != 1) {
+		p11_tool_usage (usages, options);
+		goto cleanup;
+	}
+
+        if (!check_args (mechanism.mechanism, bits, curve))
+                goto cleanup;
+
+	ret = generate_keypair (*argv, label, &mechanism, bits, curve);
+
+cleanup:
+	free (label);
+
+	return ret;
+}
diff --git a/p11-kit/meson.build b/p11-kit/meson.build
index 3548690cf..abddea354 100644
--- a/p11-kit/meson.build
+++ b/p11-kit/meson.build
@@ -214,6 +214,7 @@ p11_kit_sources = [
   'delete-object.c',
   'delete-profile.c',
   'export-object.c',
+  'generate-keypair.c',
   'list-objects.c',
   'list-profiles.c',
   'lists.c',
diff --git a/p11-kit/p11-kit.c b/p11-kit/p11-kit.c
index 3f494fe35..359a8c0b2 100644
--- a/p11-kit/p11-kit.c
+++ b/p11-kit/p11-kit.c
@@ -59,41 +59,45 @@
 
 #include "tool.h"
 
-int       p11_kit_list_modules    (int argc,
-                                   char *argv[]);
+int       p11_kit_list_modules     (int argc,
+                                    char *argv[]);
 
-int       p11_kit_list_objects    (int argc,
-                                   char *argv[]);
+int       p11_kit_list_objects     (int argc,
+                                    char *argv[]);
 
-int       p11_kit_export_object   (int argc,
-                                   char *argv[]);
+int       p11_kit_export_object    (int argc,
+                                    char *argv[]);
 
-int       p11_kit_delete_object   (int argc,
-                                   char *argv[]);
+int       p11_kit_delete_object    (int argc,
+                                    char *argv[]);
 
-int       p11_kit_list_profiles   (int argc,
-                                   char *argv[]);
+int       p11_kit_generate_keypair (int argc,
+                                    char *argv[]);
 
-int       p11_kit_add_profile     (int argc,
-                                   char *argv[]);
+int       p11_kit_list_profiles    (int argc,
+                                    char *argv[]);
 
-int       p11_kit_delete_profile  (int argc,
-                                   char *argv[]);
+int       p11_kit_add_profile      (int argc,
+                                    char *argv[]);
 
-int       p11_kit_print_config    (int argc,
-                                   char *argv[]);
+int       p11_kit_delete_profile   (int argc,
+                                    char *argv[]);
 
-int       p11_kit_trust           (int argc,
-                                   char *argv[]);
+int       p11_kit_print_config     (int argc,
+                                    char *argv[]);
 
-int       p11_kit_external        (int argc,
-                                   char *argv[]);
+int       p11_kit_trust            (int argc,
+                                    char *argv[]);
+
+int       p11_kit_external         (int argc,
+                                    char *argv[]);
 
 static const p11_tool_command commands[] = {
 	{ "list-modules", p11_kit_list_modules, N_("List modules and tokens") },
 	{ "list-objects", p11_kit_list_objects, N_("List objects of a token") },
 	{ "export-object", p11_kit_export_object, N_("Export object matching PKCS#11 URI") },
 	{ "delete-object", p11_kit_delete_object, N_("Delete objects matching PKCS#11 URI") },
+	{ "generate-keypair", p11_kit_generate_keypair, N_("Generate key-pair on a PKCS#11 token") },
 	{ "list-profiles", p11_kit_list_profiles, N_("List PKCS#11 profiles supported by the token") },
 	{ "add-profile", p11_kit_add_profile, N_("Add PKCS#11 profile to the token") },
 	{ "delete-profile", p11_kit_delete_profile, N_("Delete PKCS#11 profile from the token") },
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 80156043c..c902f33a2 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -6,6 +6,7 @@ p11-kit/delete-object.c
 p11-kit/delete-profile.c
 p11-kit/export-object.c
 p11-kit/filter.c
+p11-kit/generate-keypair.c
 p11-kit/list-objects.c
 p11-kit/list-profiles.c
 p11-kit/lists.c