Explicitly zero a `KeyPair` after use.

[didier-wenzek]

I'm missing a way to zero a KeyPair after use.

Using the crate zeroise, one can zeroize the string return by Certificate::serialize_private_key_pem but not the KeyPair internally hold by that Certificate,
because some Into<Zeroizing> trait implementation is missing.

Could rcgen provide such zeroize feature? With some explicit call or implicitly in Drop?

[est31]

Thanks for the report! I have wondered about crates like the zeroize crate, but I think there are still a couple of problems with them. The memory can still be swapped to disk, or be copied (memory on linux is copy on write).

[est31]

Also, rcgen only wraps the ring crate for these types, although there are probably some instances where the key is copied around a bit.

[didier-wenzek]

Thank you for responsiveness.

Sure, there are still other issues beyond zero the memory. But this is a very good first step and zeroise sounds as a nice trade-off.

[est31]

swap access isn't that uncommon. Especially if you use swap with an SSD, wear levelling distributes material all over the raw storage. Someone stealing your hardware will be able to extract useful stuff from it. But admittedly, there are no low privilege APIs, especially no cross platform ones, to protect from secrets from leaking onto permanent storage media.

Anyways, it's ring that is responsible for holding the key material, so better discuss this in the dedicated upstream issue: briansmith/ring#15

There might be some key material handling outside of ring encapsulated things. I wonder where, if at all, the rcgen crate touches such key material in a way that it creates a new allocation.

[mneumann]

You cannot do much about private data that is allocated by a library, unless you really want to globally overwrite the free method yourself and add a memset on free, which would downgrade performance quite a lot.

zeroize only knows how to zero out the standard types. So basically any type T : Zeroize can be zeroed. If Certificate does not implement that trait (and is a struct itself), you are out of luck. The best would be to provide a patch upstream to implement Zeroize for Certificate. The Zeroizing wrapper struct is only applicable to types that already implement Zeroize.

I'd just go with Zeroize, it's better than nothing!

Also note that Rust doesn't have copy or move constructors as in C++. When a value in Rust is moved (that is, every value that does not implement the Copy trait), it's occupied memory is simply memcpyed over to the new location. You can't change that (the same is true for Copy). The compiler statically guarantees that the old memory location is no longer touched by safe Rust code, but the memory is not zeroed out, as you can see with this small example:

struct S(usize);

impl S {
    fn new() -> Self { Self(42) }
}

impl Drop for S {
    fn drop(&mut self) {
        println!("drop");
        (*self).0 = 0;
    }
}

fn main() {
    let a = S::new();
    let a_ptr: *const S = &a;
    println!("&a = {:p}", a_ptr); // e.g. 0x7fffffffe210

    let b = a; // moved here
    let b_ptr: *const S = &b;
    println!("&b = {:p}", b_ptr); // e.g. 0x7fffffffe268

    println!("*a = {}", unsafe { (*a_ptr).0 }); // prints 42
    println!("*b = {}", unsafe { (*b_ptr).0 }); // prints 42

    // *b will be zero at the end of the scope, but *a will still be 42.
}

You see, both a and b have different memory locations (on the stack), and derefencing these pointers have the same values after the move.

Note that this is really only a problem for stack allocated values. If you have anything heap allocated, only the pointer of the heap allocated data will be memcpyed when the value is "moved", so you don't end up with two copies of the same memory as for "move".

Also note that Drop is only called once for the final value, b in this case. This is one of the big differences to C++, where you'd really have two destructors being called and you could (and actually should!) zero out upon move (move constructor).

[didier-wenzek]

I open the PR #48 proposing a new optional zeroize feature.

With that feature, it will be possible to wrap a Certificate with a Zeroizing wrapper to zero the internal KeyPair on drop.
This feature is not invasive. No changes affect a user who doesn't use it.

The secret of a KeyPair is held by a Vec<u8>, hence already handled by zeroize and not affected by the issue highlighted by @mneumann on move. However, the content of that keypair comes from a ring::signature::EcdsaKeyPair and the behavior for that copy will depend on briansmith/ring#15.

[cpu]

@est31 Do you think this can be closed based on #48 landing or did you have additional work in mind?

[didier-wenzek]

@cpu Yes, this can be closed. Thank you.