prevent key material from entering serde_json::Value

2026-04-14 00:04:06 +09:00 · 2026-03-23 11:13:30 +09:00
parent 2b540edab3
commit 2247bc32bf
1 changed files with 14 additions and 2 deletions
--- a/src/bridge.rs
+++ b/src/bridge.rs
@@ -13,11 +13,14 @@ use crate::crypto::{
 };
 use crate::storage::KeyStore;

+const KEY_PLACEHOLDER: &str = "__KEY_PLACEHOLDER_00000000_00000000__";
+
 pub struct BiometricBridge {
    store: Box<dyn KeyStore>,
    uid: String,
    prompt: Prompter,
    sessions: HashMap<String, SymmetricKey>,
+    pending_key: Option<String>,
 }

 impl BiometricBridge {
@@ -27,6 +30,7 @@ impl BiometricBridge {
            uid,
            prompt,
            sessions: HashMap::new(),
+            pending_key: None,
        }
    }

@@ -113,6 +117,12 @@ impl BiometricBridge {

        let key = self.sessions.get(app_id).unwrap();
        let mut resp_json = serde_json::to_string(&resp).unwrap();
+
+        if let Some(mut real_key) = self.pending_key.take() {
+            resp_json = resp_json.replace(KEY_PLACEHOLDER, &real_key);
+            real_key.zeroize();
+        }
+
        let encrypted = enc_string_encrypt(&resp_json, key);
        resp_json.zeroize();

@@ -161,9 +171,11 @@ impl BiometricBridge {

    fn handle_unlock(&mut self, cmd: &str, mid: i64) -> Value {
        match self.unseal_key() {
-            Some(key_b64) => {
+            Some(mut key_b64) => {
                crate::log::info("-> unlock granted");
-                self.reply(cmd, mid, json!({"response": true, "userKeyB64": key_b64}))
+                let resp = self.reply(cmd, mid, json!({"response": true, "userKeyB64": KEY_PLACEHOLDER}));
+                self.pending_key = Some(std::mem::take(&mut key_b64));
+                resp
            }
            None => {
                crate::log::warn("unlock denied or failed");