+ "details": "`internal/pki/resolver.go:36-64` constructs a `CAManager` with the plaintext `ed25519.PrivateKey` after unwrapping via the master key; `internal/pki/ca.go:13-16` stores it. Callers at `internal/api/enroll.go:116`, `internal/api/updates.go:297`, and `internal/api/mobile_bundle.go:40` use the manager for one `Sign()` and drop the reference on function return — but the underlying slice contents are not wiped before release.\n\nThe keystore package's contract (`internal/keystore/keystore.go` doc: *\"Callers MUST zeroise the returned plaintext DEK as soon as it is no longer needed\"*) is not met by the `CAManager` consumer. Decrypted CA private keys persist in process heap until Go's GC scavenges the underlying slice — minutes to hours under load, indefinitely on idle servers.\n\n## Affected\nAll released versions up to v0.3.6.\n\n## Threat model\nMemory-read access: core dump, ptrace, kernel swap to disk, container/VM snapshot, OOM-debug bundle, side-channel via shared cache lines. Not a remote-network vulnerability, but defeats the master-key + envelope-encryption design's promise of \"private key never lingers\".\n\n## Suggested fix\nAdd a `Wipe()` method on `CAManager`:\n\n```go\n// internal/pki/ca.go\nfunc (m *CAManager) Wipe() {\n if m == nil {\n return\n }\n keystore.Zeroize(m.caKey)\n}\n```\n\nAt each call site (`enroll.go:116`, `updates.go:297`, `mobile_bundle.go:40`, and any new caller), `defer caMgr.Wipe()` immediately after the `Resolve()` call. Pattern mirrors the existing `defer keystore.Zeroize(dek)` discipline in the keystore package.\n\nOptional follow-up: wrap `m.Sign()` to zeroize after each call, removing the contract on callers — but the `defer` pattern is sufficient as a minimum.",
0 commit comments