From 2247bc32bfa3367d3ac06c1150712fa44f1e6e16 Mon Sep 17 00:00:00 2001 From: Morgan Date: Mon, 23 Mar 2026 11:13:30 +0900 Subject: [PATCH] prevent key material from entering serde_json::Value --- src/bridge.rs | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/bridge.rs b/src/bridge.rs index 68d66ca..600a299 100644 --- a/src/bridge.rs +++ b/src/bridge.rs @@ -13,11 +13,14 @@ use crate::crypto::{ }; use crate::storage::KeyStore; +const KEY_PLACEHOLDER: &str = "__KEY_PLACEHOLDER_00000000_00000000__"; + pub struct BiometricBridge { store: Box, uid: String, prompt: Prompter, sessions: HashMap, + pending_key: Option, } impl BiometricBridge { @@ -27,6 +30,7 @@ impl BiometricBridge { uid, prompt, sessions: HashMap::new(), + pending_key: None, } } @@ -113,6 +117,12 @@ impl BiometricBridge { let key = self.sessions.get(app_id).unwrap(); let mut resp_json = serde_json::to_string(&resp).unwrap(); + + if let Some(mut real_key) = self.pending_key.take() { + resp_json = resp_json.replace(KEY_PLACEHOLDER, &real_key); + real_key.zeroize(); + } + let encrypted = enc_string_encrypt(&resp_json, key); resp_json.zeroize(); @@ -161,9 +171,11 @@ impl BiometricBridge { fn handle_unlock(&mut self, cmd: &str, mid: i64) -> Value { match self.unseal_key() { - Some(key_b64) => { + Some(mut key_b64) => { crate::log::info("-> unlock granted"); - self.reply(cmd, mid, json!({"response": true, "userKeyB64": key_b64})) + let resp = self.reply(cmd, mid, json!({"response": true, "userKeyB64": KEY_PLACEHOLDER})); + self.pending_key = Some(std::mem::take(&mut key_b64)); + resp } None => { crate::log::warn("unlock denied or failed");