Skip to content

Commit

Permalink
fix: buffer not zeroized upon successful secret key decoding
Browse files Browse the repository at this point in the history
  • Loading branch information
drHuangMHT committed May 3, 2023
1 parent 5efbcb0 commit af8c068
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions identity/src/ecdsa.rs
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ use p256::{
EncodedPoint,
};
use void::Void;
use zeroize::Zeroize;

/// An ECDSA keypair generated using `secp256r1` curve.
#[derive(Clone)]
Expand Down Expand Up @@ -134,10 +135,13 @@ impl SecretKey {
.to_vec()
}

/// Try to decode a secret key from a byte buffer in DER-encoded PKCS#8 format.
pub(crate) fn try_decode_pkcs8_der(buf: &[u8]) -> Result<Self, DecodingError> {
/// Try to decode a secret key from a byte buffer in DER-encoded PKCS#8 format, zeroize the buffer on success.
pub(crate) fn try_decode_pkcs8_der(buf: &mut [u8]) -> Result<Self, DecodingError> {
match SigningKey::from_pkcs8_der(buf) {
Ok(key) => Ok(SecretKey(key)),
Ok(key) => {
buf.zeroize();
Ok(SecretKey(key))
}
Err(e) => Err(DecodingError::failed_to_parse("ECDSA", e)),
}
}
Expand Down Expand Up @@ -309,7 +313,7 @@ mod tests {
fn secret_key_encode_decode_roundtrip() {
let secret_key = SecretKey::generate();
let encoded_bytes = secret_key.encode_pkcs8_der();
let decoded_key = SecretKey::try_decode_pkcs8_der(&encoded_bytes).unwrap();
let decoded_key = SecretKey::try_decode_pkcs8_der(encoded_bytes.clone().as_mut()).unwrap();
assert_eq!(decoded_key.encode_pkcs8_der(), encoded_bytes)
}
}

0 comments on commit af8c068

Please sign in to comment.