Skip to content

Commit

Permalink
Take PIN ownership to minimze memory copy-s
Browse files Browse the repository at this point in the history
followup WE2-479

Signed-off-by: Raul Metsma <[email protected]>
  • Loading branch information
metsma committed Aug 6, 2024
1 parent 0fbaab4 commit 11cc03f
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 23 deletions.
15 changes: 4 additions & 11 deletions src/controller/command-handlers/authenticate.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ QVariantMap createAuthenticationToken(const QString& signatureAlgorithm,
}

QByteArray createSignature(const QString& origin, const QString& challengeNonce,
const ElectronicID& eid, const pcsc_cpp::byte_vector& pin)
const ElectronicID& eid, pcsc_cpp::byte_vector&& pin)
{
static const std::map<JsonWebSignatureAlgorithm, QCryptographicHash::Algorithm>
SIGNATURE_ALGO_TO_HASH {
Expand Down Expand Up @@ -85,7 +85,7 @@ QByteArray createSignature(const QString& origin, const QString& challengeNonce,
const pcsc_cpp::byte_vector hashToBeSigned {hashToBeSignedQBytearray.cbegin(),
hashToBeSignedQBytearray.cend()};

const auto signature = eid.signWithAuthKey(pin, hashToBeSigned);
const auto signature = eid.signWithAuthKey(std::move(pin), hashToBeSigned);

return QByteArray::fromRawData(reinterpret_cast<const char*>(signature.data()),
int(signature.size()))
Expand Down Expand Up @@ -122,17 +122,10 @@ QVariantMap Authenticate::onConfirm(WebEidUI* window,
const auto signatureAlgorithm =
QString::fromStdString(cardCertAndPin.cardInfo->eid().authSignatureAlgorithm());

auto pin = getPin(cardCertAndPin.cardInfo->eid(), window);

try {
auto pin = getPin(cardCertAndPin.cardInfo->eid(), window);
const auto signature =
createSignature(origin.url(), challengeNonce, cardCertAndPin.cardInfo->eid(), pin);

// Erase the PIN memory.
// TODO: Use a scope guard. Verify that the buffers are actually zeroed and no copies
// remain.
std::fill(pin.begin(), pin.end(), '\0');

createSignature(origin.url(), challengeNonce, cardCertAndPin.cardInfo->eid(), std::move(pin));
return createAuthenticationToken(signatureAlgorithm, cardCertAndPin.certificateBytesInDer,
signature);

Expand Down
15 changes: 4 additions & 11 deletions src/controller/command-handlers/sign.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ using namespace electronic_id;
namespace
{

QPair<QString, QVariantMap> signHash(const ElectronicID& eid, const pcsc_cpp::byte_vector& pin,
QPair<QString, QVariantMap> signHash(const ElectronicID& eid, pcsc_cpp::byte_vector&& pin,
const QByteArray& docHash, const HashAlgorithm hashAlgo)
{
const auto hashBytes = pcsc_cpp::byte_vector {docHash.begin(), docHash.end()};
const auto signature = eid.signWithSigningKey(pin, hashBytes, hashAlgo);
const auto signature = eid.signWithSigningKey(std::move(pin), hashBytes, hashAlgo);

const auto signatureBase64 =
QByteArray::fromRawData(reinterpret_cast<const char*>(signature.first.data()),
Expand Down Expand Up @@ -95,16 +95,9 @@ void Sign::emitCertificatesReady(const std::vector<CardCertificateAndPinInfo>& c

QVariantMap Sign::onConfirm(WebEidUI* window, const CardCertificateAndPinInfo& cardCertAndPin)
{
auto pin = getPin(cardCertAndPin.cardInfo->eid(), window);

try {
const auto signature = signHash(cardCertAndPin.cardInfo->eid(), pin, docHash, hashAlgo);

// Erase PIN memory.
// TODO: Use a scope guard. Verify that the buffers are actually zeroed
// and no copies remain.
std::fill(pin.begin(), pin.end(), '\0');

auto pin = getPin(cardCertAndPin.cardInfo->eid(), window);
const auto signature = signHash(cardCertAndPin.cardInfo->eid(), std::move(pin), docHash, hashAlgo);
return {{QStringLiteral("signature"), signature.first},
{QStringLiteral("signatureAlgorithm"), signature.second}};

Expand Down

0 comments on commit 11cc03f

Please sign in to comment.