Cryptographic Secret type (#615)

* Adds a type for cryptographic secrets * default implementations and zeroize documentation * removes whitespace
2023-04-19 18:02:48 +02:00
parent 3091b5a29d
commit 5f7eb3177b
36 changed files with 582 additions and 254 deletions
--- a/src/env/tock/commands.rs
+++ b/src/env/tock/commands.rs
@@ -27,6 +27,7 @@ use opensk::ctap::check_user_presence;
 use opensk::ctap::data_formats::{
    extract_bool, extract_byte_string, extract_map, extract_unsigned, ok_or_missing,
 };
+use opensk::ctap::secret::Secret;
 use opensk::ctap::status_code::Ctap2StatusCode;
 use opensk::ctap::{cbor_read, cbor_write, Channel};
 use opensk::env::{Env, Sha};
@@ -110,7 +111,7 @@ fn process_vendor_configure(
            // to not leak information.
            if current_attestation.is_none() {
                let attestation = Attestation {
-                    private_key: data.private_key,
+                    private_key: Secret::from_exposed_secret(data.private_key),
                    certificate: data.certificate,
                };
                env.attestation_store()
@@ -491,7 +492,7 @@ mod test {
        assert_eq!(
            env.attestation_store().get(&attestation_store::Id::Batch),
            Ok(Some(Attestation {
-                private_key: dummy_key,
+                private_key: Secret::from_exposed_secret(dummy_key),
                certificate: dummy_cert.to_vec(),
            }))
        );
@@ -519,7 +520,7 @@ mod test {
        assert_eq!(
            env.attestation_store().get(&attestation_store::Id::Batch),
            Ok(Some(Attestation {
-                private_key: dummy_key,
+                private_key: Secret::from_exposed_secret(dummy_key),
                certificate: dummy_cert.to_vec(),
            }))
        );
--- a/src/env/tock/storage.rs
+++ b/src/env/tock/storage.rs
@@ -343,7 +343,8 @@ impl TockUpgradeStorage {
            // The hash implementation handles this in chunks, so no memory issues.
            hasher.update(partition_slice);
        }
-        let computed_hash = hasher.finalize();
+        let mut computed_hash = [0; 32];
+        hasher.finalize(&mut computed_hash);
        if &computed_hash != parse_metadata_hash(metadata) {
            return Err(StorageError::CustomError);
        }