Setup zeroizing secrets

paolobarbolini · Nov 6, 2021 · 4c0aab9 · 4c0aab9
1 parent 036840b
commit 4c0aab9
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 8 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,6 +16,7 @@ sha2 = "0.9.2"
 time = { version = "0.3", default-features = false, features = ["macros", "formatting"] }
 url = "2.2.0"
 percent-encoding = "2.1.0"
+zeroize = "1"
 
 # optional
 base64 = { version = "0.13", optional = true }

diff --git a/src/credentials/mod.rs b/src/credentials/mod.rs
@@ -15,6 +15,7 @@ use std::fmt::{self, Debug, Formatter};
 pub use self::rotating::RotatingCredentials;
 #[cfg(feature = "full")]
 pub use self::serde::Ec2SecurityCredentialsMetadataResponse;
+use zeroize::Zeroizing;
 
 mod rotating;
 #[cfg(feature = "full")]
@@ -24,7 +25,7 @@ mod serde;
 #[derive(Clone, PartialEq, Eq)]
 pub struct Credentials {
     key: String,
-    secret: String,
+    secret: Zeroizing<String>,
     token: Option<String>,
 }
 
@@ -43,7 +44,7 @@ impl Credentials {
     pub fn new_<S: Into<String>>(key: S, secret: S, token: Option<S>) -> Self {
         Self {
             key: key.into(),
-            secret: secret.into(),
+            secret: Zeroizing::new(secret.into()),
             token: token.map(|s| s.into()),
         }
     }

diff --git a/src/credentials/serde.rs b/src/credentials/serde.rs
@@ -1,7 +1,9 @@
 use std::fmt::{self, Debug, Formatter};
+use std::mem;
 
 use serde::{Deserialize, Deserializer};
 use time::PrimitiveDateTime;
+use zeroize::Zeroize;
 
 use crate::time_::ISO8601_EXT;
 
@@ -64,14 +66,20 @@ impl Ec2SecurityCredentialsMetadataResponse {
 
     /// Convert this `Ec2SecurityCredentialsMetadataResponse` into [`Credentials`]
     #[inline]
-    pub fn into_credentials(self) -> Credentials {
-        Credentials::new_(self.key, self.secret, Some(self.token))
+    pub fn into_credentials(mut self) -> Credentials {
+        let key = mem::take(&mut self.key);
+        let secret = mem::take(&mut self.secret);
+        let token = mem::take(&mut self.token);
+        Credentials::new_(key, secret, Some(token))
     }
 
     /// Update a [`RotatingCredentials`] with the credentials of this `Ec2SecurityCredentialsMetadataResponse`
     #[inline]
-    pub fn rotate_credentials(self, rotating: &RotatingCredentials) {
-        rotating.update(self.key, self.secret, Some(self.token));
+    pub fn rotate_credentials(mut self, rotating: &RotatingCredentials) {
+        let key = mem::take(&mut self.key);
+        let secret = mem::take(&mut self.secret);
+        let token = mem::take(&mut self.token);
+        rotating.update(key, secret, Some(token));
     }
 }
 
@@ -83,6 +91,12 @@ impl Debug for Ec2SecurityCredentialsMetadataResponse {
     }
 }
 
+impl Drop for Ec2SecurityCredentialsMetadataResponse {
+    fn drop(&mut self) {
+        self.secret.zeroize();
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use pretty_assertions::assert_eq;

diff --git a/src/signing/signature.rs b/src/signing/signature.rs
@@ -1,6 +1,7 @@
 use hmac::{Hmac, Mac, NewMac};
 use sha2::Sha256;
 use time::OffsetDateTime;
+use zeroize::Zeroizing;
 
 use crate::time_::YYYYMMDD;
 
@@ -14,8 +15,13 @@ pub fn signature(
 ) -> String {
     let yyyymmdd = date.format(&YYYYMMDD).expect("invalid format");
 
-    let mut mac = HmacSha256::new_from_slice(format!("AWS4{}", secret).as_bytes())
-        .expect("HMAC can take keys of any size");
+    let mut raw_date = String::with_capacity("AWS4".len() + secret.len());
+    raw_date.push_str("AWS4");
+    raw_date.push_str(secret);
+    let raw_date = Zeroizing::new(raw_date);
+
+    let mut mac =
+        HmacSha256::new_from_slice(raw_date.as_bytes()).expect("HMAC can take keys of any size");
     mac.update(yyyymmdd.as_bytes());
     let date_key = mac.finalize().into_bytes();