Add ClearSecretData calls for IPK bits on Darwin.

Keypairs do this automatically, but we're using a raw buffer for the IPK.

src/crypto/CHIPCryptoPAL.h

@@ -178,6 +178,15 @@ enum class SupportedECPKeyTypes : uint8_t
  **/
 void ClearSecretData(uint8_t * buf, size_t len);
 
+/**
+ * Helper for clearing a C array which auto-deduces the size.
+ */
+template <size_t N>
+void ClearSecretData(uint8_t (&buf)[N])
+{
+    ClearSecretData(buf, N);
+}
+
 template <typename Sig>
 class ECPKey
 {

src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.h

@@ -35,7 +35,7 @@ class CHIPOperationalCredentialsDelegate : public chip::Controller::OperationalC
 public:
     using ChipP256KeypairPtr = std::unique_ptr<chip::Crypto::P256Keypair>;
 
-    ~CHIPOperationalCredentialsDelegate() {}
+    ~CHIPOperationalCredentialsDelegate() { chip::Crypto::ClearSecretData(mIPK); }
 
     /**
      * If nocSigner is not provided (is null), a keypair will be loaded from the

src/darwin/Framework/CHIP/CHIPOperationalCredentialsDelegate.mm

@@ -46,6 +46,11 @@ static BOOL isRunningTests(void)
     return (environment[@"XCTestConfigurationFilePath"] != nil);
 }
 
+static void ClearSecretData(NSMutableData * data)
+{
+    Crypto::ClearSecretData(static_cast<uint8_t *>([data mutableBytes]), [data length]);
+}
+
 CHIP_ERROR CHIPOperationalCredentialsDelegate::init(
     CHIPPersistentStorageDelegateBridge * storage, ChipP256KeypairPtr nocSigner, NSData * _Nullable ipk)
 {
@@ -141,6 +146,7 @@ static BOOL isRunningTests(void)
         (id) kSecReturnData : @YES,
     };
 
+    // TODO: Figure out a way to ClearSecretData for this keyDataRef?
     CFDataRef keyDataRef;
     OSStatus status = SecItemCopyMatching((CFDictionaryRef) query, (CFTypeRef *) &keyDataRef);
     if (status == errSecItemNotFound || keyDataRef == nil) {
@@ -151,17 +157,20 @@ static BOOL isRunningTests(void)
     CHIP_LOG_ERROR("Found an existing self managed keypair in the keychain");
     NSData * keyData = CFBridgingRelease(keyDataRef);
 
-    NSData * keypairData = [[NSData alloc] initWithBase64EncodedData:keyData options:0];
+    NSMutableData * keypairData = [[NSMutableData alloc] initWithBase64EncodedData:keyData options:0];
 
     chip::Crypto::P256SerializedKeypair serialized;
     if ([keypairData length] != serialized.Capacity()) {
         NSLog(@"Keypair length %zu does not match expected length %zu", [keypairData length], serialized.Capacity());
+        ClearSecretData(keypairData);
         return CHIP_ERROR_INTERNAL;
     }
 
     std::memmove((uint8_t *) serialized, [keypairData bytes], [keypairData length]);
     serialized.SetLength([keypairData length]);
 
+    ClearSecretData(keypairData);
+
     CHIP_LOG_ERROR("Deserializing the key");
     return mIssuerKey->Deserialize(serialized);
 }
@@ -175,6 +184,7 @@ static BOOL isRunningTests(void)
         (id) kSecReturnData : @YES,
     };
 
+    // TODO: Figure out a way to ClearSecretData for this keyDataRef?
     CFDataRef keyDataRef;
     OSStatus status = SecItemCopyMatching((CFDictionaryRef) query, (CFTypeRef *) &keyDataRef);
     if (status == errSecItemNotFound || keyDataRef == nil) {
@@ -185,13 +195,15 @@ static BOOL isRunningTests(void)
     CHIP_LOG_ERROR("Found an existing IPK in the keychain");
     NSData * keyData = CFBridgingRelease(keyDataRef);
 
-    NSData * ipkData = [[NSData alloc] initWithBase64EncodedData:keyData options:0];
+    NSMutableData * ipkData = [[NSMutableData alloc] initWithBase64EncodedData:keyData options:0];
     if ([ipkData length] != sizeof(mIPK)) {
         NSLog(@"IPK length %zu does not match expected length %zu", [ipkData length], sizeof(mIPK));
+        ClearSecretData(ipkData);
         return CHIP_ERROR_INTERNAL;
     }
 
     memcpy(mIPK, [ipkData bytes], [ipkData length]);
+    ClearSecretData(ipkData);
     return CHIP_NO_ERROR;
 }
 
@@ -209,15 +221,18 @@ static BOOL isRunningTests(void)
         return errorCode;
     }
 
-    NSData * keypairData = [NSData dataWithBytes:serializedKey.Bytes() length:serializedKey.Length()];
+    NSMutableData * keypairData = [NSMutableData dataWithBytes:serializedKey.Bytes() length:serializedKey.Length()];
 
     const NSDictionary * addParams = @{
         (id) kSecClass : (id) kSecClassGenericPassword,
         (id) kSecAttrService : kCHIPCAKeyChainLabel,
         (id) kSecAttrSynchronizable : @YES,
+        // TODO: Figure out how to ClearSecretData on the base-64 encoded data?
         (id) kSecValueData : [keypairData base64EncodedDataWithOptions:0],
     };
 
+    ClearSecretData(keypairData);
+
     OSStatus status = SecItemAdd((__bridge CFDictionaryRef) addParams, nullptr);
     // TODO: Enable SecItemAdd for Darwin unit tests
     if (status != errSecSuccess && !isRunningTests()) {
@@ -237,15 +252,18 @@ static BOOL isRunningTests(void)
         return errorCode;
     }
 
-    NSData * ipkAdata = [NSData dataWithBytes:mIPK length:sizeof(mIPK)];
+    NSMutableData * ipkData = [NSMutableData dataWithBytes:mIPK length:sizeof(mIPK)];
 
     const NSDictionary * addParams = @{
         (id) kSecClass : (id) kSecClassGenericPassword,
         (id) kSecAttrService : kCHIPIPKKeyChainLabel,
         (id) kSecAttrSynchronizable : @YES,
-        (id) kSecValueData : [ipkAdata base64EncodedDataWithOptions:0],
+        // TODO: Figure out how to ClearSecretData on the base-64 encoded data?
+        (id) kSecValueData : [ipkData base64EncodedDataWithOptions:0],
     };
 
+    ClearSecretData(ipkData);
+
     OSStatus status = SecItemAdd((__bridge CFDictionaryRef) addParams, nullptr);
     // TODO: Enable SecItemAdd for Darwin unit tests
     if (status != errSecSuccess && !isRunningTests()) {

src/protocols/secure_channel/CASESession.cpp

@@ -108,7 +108,7 @@ void CASESession::Clear()
     PairingSession::Clear();
 
     mState = kInitialized;
-    Crypto::ClearSecretData(&mIPK[0], sizeof(mIPK));
+    Crypto::ClearSecretData(mIPK);
 
     AbortExchange();
 }