PK11AttrFlags attrFlags=0;

if (!temporary) {
    attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE);
}

if (sensitive == 1) {
    attrFlags |= PK11_ATTR_SENSITIVE;
} else if (sensitive == 0) {
    attrFlags |= PK11_ATTR_INSENSITIVE;
}

skey = PK11_TokenKeyGenWithFlags(
    slot,
    mech,
    NULL /* param */,
    strength/8 /* in bytes */,
    NULL /* keyid */,
    opFlags,
    attrFlags,
    NULL /* wincx */);

private boolean temporaryPairMode = false;

//  1: sensitive
//  0: insensitive
// -1: sensitive if temporaryPairMode is false,
//     insensitive if temporaryPairMode is true
//     (the default depends on temporaryPairMode for backward
//     compatibility)
private int sensitivePairMode = -1;

//  1: extractable
//  0: unextractable
// -1: unspecified (token dependent)
private int extractablePairMode = -1;

PK11AttrFlags attrFlags = 0;

if (temporary) {
    attrFlags |= PK11_ATTR_SESSION;
} else {
    attrFlags |= PK11_ATTR_TOKEN;
}

if (extractable == 1) {
    attrFlags |= PK11_ATTR_EXTRACTABLE;
} else if (extractable == 0) {
    attrFlags |= PK11_ATTR_UNEXTRACTABLE;
}

// The default of sensitive is set this way to be backward compatible.
if (sensitive == -1) {
    sensitive = !temporary;
}

// The PRIVATE/PUBLIC attributes are set this way to be backward
// compatible with the original PK11_GenerateKeyPair call.
if (sensitive) {
    attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE);
} else {
    attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC);
}

*privk = PK11_GenerateKeyPairWithOpFlags(
    slot,
    mechanism,
    params,
    pubk,
    attrFlags,
    (CK_FLAGS) op_flags,
    (CK_FLAGS) op_flags_mask /* the ones we don't want */,
    NULL /* default PW callback */);

JSS_PK11_getPrivKeyPtr(JNIEnv *env, jobject privkObject, SECKEYPrivateKey** ptr)
JSS_PK11_getPubKeyPtr(JNIEnv *env, jobject pubkObject, SECKEYPublicKey** ptr)
jobject JSS_PK11_wrapPrivKey(JNIEnv *env, SECKEYPrivateKey **privk)
jobject JSS_PK11_wrapPubKey(JNIEnv *env, SECKEYPublicKey **pKey)