Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zeroing the Link Secret #202

Open
dbluhm opened this issue May 8, 2023 · 1 comment
Open

Zeroing the Link Secret #202

dbluhm opened this issue May 8, 2023 · 1 comment

Comments

@dbluhm
Copy link
Member

dbluhm commented May 8, 2023

I raised a question on Discord and it was recommended I raise it as an issue to track here. Original messasge pasted below:

I was reading through this issue #194 and had a question:

With the link secret (formerly master secret) now being returned as just a plain old string value, should we be thinking about zeroing out memory where the secret was held? I'm not in the habit of thinking about this in python but that was perhaps one advantage of having the rust layer hold the value so that it could then zero the memory when it was released.

@blu3beri responded to my question on Discord indicating that zeroing the link secret is probably something we want to do but there are some complexities that arise from the fact that it's a BigNumber type from Ursa which doesn't implement zeroize.

@dbluhm
Copy link
Member Author

dbluhm commented Jun 7, 2023

Some input from @andrewwhitehead:

In python we actually use the buffer protocol to copy data from an indy-credx object to askar without leaving duplicates, but that's not always possible.
For example: https://github.com/hyperledger/aries-cloudagent-python/blob/99b9e3713334c078212683c536277dc944025417/aries_cloudagent/indy/credx/holder.py#L84
raw_value is a memoryview object, which just references the buffer that will be zeroed

From what I understand, this means that the Python wrapper can pass around a value like the link secret without needing to copy the bytes out of the original buffer. As discussed on Discord, this means that, even though the link secret does need to be passed beyond the FFI boundary at least so the caller can store it in Askar or similar, this can be done in a way that the Rust layer can still effectively zeroize the link secret from memory.

Currently, the anoncreds-rs python wrapper will not accept a memoryview object for the link secret value in methods like process_credential and is strictly expecting a string value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant