Make private key sensitivity visible to NSS

1 files changed, 15 insertions, 5 deletions

diff --git a/lib/ncrypto_nss.c b/lib/ncrypto_nss.c
index 818091d..4737fc2 100644
--- a/lib/ncrypto_nss.c
+++ b/lib/ncrypto_nss.c
@@ -407,8 +407,8 @@ private_key_create (struct ncr_private_key **key, CK_KEY_TYPE type,
 
   k->key = PK11_UnwrapPrivKey (slot, wrapping_key, CKM_AES_CBC_PAD, &iv_item,
 			       &wrapped_item, NULL, (SECItem *)public_value,
-			       PR_FALSE /* token */, PR_FALSE /* sensitive */,
-			       type, NULL, 0, NULL);
+			       PR_FALSE /* token */, sensitive, type, NULL, 0,
+			       NULL);
   SECITEM_ZfreeItem (&wrapped_item, PR_FALSE);
   PK11_FreeSymKey (wrapping_key);
   PK11_FreeSlot (slot);
@@ -580,13 +580,25 @@ ncr_private_key_create (struct ncr_private_key **key, CK_KEY_TYPE type,
 CK_RV
 ncr_private_key_set_sensitive (struct ncr_private_key *key)
 {
+  static const CK_BBOOL true_value = CK_TRUE;
+
   CK_RV res;
+  SECStatus ss;
+  SECItem item;
 
   res = ensure_ncr_is_open ();
   if (res != CKR_OK)
     return res;
 
   g_return_val_if_fail (key != NULL, CKR_KEY_HANDLE_INVALID);
+
+  item.data = (void *)&true_value;
+  item.len = sizeof (true_value);
+  ss = PK11_WriteRawAttribute (PK11_TypePrivKey, key->key, CKA_SENSITIVE,
+			       &item);
+  if (ss != SECSuccess)
+    return CKR_GENERAL_ERROR;
+
   key->sensitive = true;
   return CKR_OK;
 }
@@ -679,10 +691,8 @@ key_pair_generate (struct ncr_public_key **public_key,
   if (slot == NULL)
     goto err_priv;
 
-  /* FIXME: propagate "sensitive" here? */
   priv->key = PK11_GenerateKeyPair(slot, mech, params, &pub->key,
-				   PR_FALSE /* isPerm */,
-				   PR_FALSE /* sensitive */, NULL);
+				   PR_FALSE /* isPerm */, sensitive, NULL);
   PK11_FreeSlot (slot);
   if (priv->key == NULL)
     goto err_priv;