On NSS, treat non-permanent RSA private keys as ephemeral

crypto/rsa_private_key_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/rsa_private_key.h"
 
 #include <cryptohi.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #include <secmod.h>
@@ skipping 189 matching lines @@
 }
 
 // static
 RSAPrivateKey* RSAPrivateKey::CreateWithParams(uint16 num_bits,
                                                bool permanent,
                                                bool sensitive) {
   EnsureNSSInit();
 
   scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey);
 
-  ScopedPK11Slot slot(GetPrivateNSSKeySlot());
+  ScopedPK11Slot slot(permanent ? GetPrivateNSSKeySlot() :
+                      PK11_GetInternalKeySlot());

[wtc, 2013/06/20 19:57:37]

I think we should use GetPublicNSSKeySlot() instead of
PK11_GetInternalKeySlot().

Actually, I think PK11_GetInternalSlot() (which is not
backed by the NSS cert and key databases) may be even
better.

[Ryan Sleevi, 2013/06/20 20:01:50]

This was intentional, because I do not want to use any ChromeOS redirected slots
(such as the software slot), which indirectly may hit the TPM.
Ah, this is actually what I intended. I didn't realize there were two functions!
bleh!

   if (!slot.get())
     return NULL;
 
   PK11RSAGenParams param;
   param.keySizeInBits = num_bits;
   param.pe = 65537L;
   result->key_ = PK11_GenerateKeyPair(slot.get(),
                                       CKM_RSA_PKCS_KEY_PAIR_GEN,
                                       &param,
                                       &result->public_key_,
                                       permanent,
                                       sensitive,
                                       NULL);
   if (!result->key_)
     return NULL;
 
   return result.release();
 }
 
 // static
 RSAPrivateKey* RSAPrivateKey::CreateFromPrivateKeyInfoWithParams(
     const std::vector<uint8>& input, bool permanent, bool sensitive) {
   // This method currently leaks some memory.
   // See http://crbug.com/34742.
   ANNOTATE_SCOPED_MEMORY_LEAK;
   EnsureNSSInit();
 
   scoped_ptr<RSAPrivateKey> result(new RSAPrivateKey);
 
-  ScopedPK11Slot slot(GetPrivateNSSKeySlot());
+  ScopedPK11Slot slot(permanent ? GetPrivateNSSKeySlot() :
+                      PK11_GetInternalKeySlot());
   if (!slot.get())
     return NULL;
 
   SECItem der_private_key_info;
   der_private_key_info.data = const_cast<unsigned char*>(&input.front());
   der_private_key_info.len = input.size();
   // Allow the private key to be used for key unwrapping, data decryption,
   // and signature generation.
   const unsigned int key_usage = KU_KEY_ENCIPHERMENT | KU_DATA_ENCIPHERMENT |
                                  KU_DIGITAL_SIGNATURE;
   SECStatus rv =  PK11_ImportDERPrivateKeyInfoAndReturnKey(
       slot.get(), &der_private_key_info, NULL, NULL, permanent, sensitive,
       key_usage, &result->key_, NULL);
   if (rv != SECSuccess) {
     NOTREACHED();
     return NULL;
   }
 
   result->public_key_ = SECKEY_ConvertToPublicKey(result->key_);
   if (!result->public_key_) {
     NOTREACHED();
     return NULL;
   }
 
   return result.release();
 }
 
 }  // namespace crypto