Merge pull request #984 from mq-cloudpak/pranav-4611-go-sensitive-strings-sc2

Ensure sensitive strings/byte buffers are zeroed in memory before GC in SC2

Author: Pranav Goyal

internal/keystore/keystore.go

@@ -27,19 +27,20 @@ import (
 
 	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/internal/fips"
+	"github.com/ibm-messaging/mq-container/internal/sensitive"
 )
 
 // KeyStore describes information about a keystore file
 type KeyStore struct {
 	Filename     string
-	Password     string
+	Password     *sensitive.Sensitive
 	keyStoreType string
 	command      string
 	fipsEnabled  bool
 }
 
 // NewJKSKeyStore creates a new Java Key Store, managed by the runmqckm command
-func NewJKSKeyStore(filename, password string) *KeyStore {
+func NewJKSKeyStore(filename string, password *sensitive.Sensitive) *KeyStore {
 	keyStore := &KeyStore{
 		Filename:     filename,
 		Password:     password,
@@ -52,7 +53,7 @@ func NewJKSKeyStore(filename, password string) *KeyStore {
 }
 
 // NewCMSKeyStore creates a new MQ CMS Key Store, managed by the runmqakm command
-func NewCMSKeyStore(filename, password string) *KeyStore {
+func NewCMSKeyStore(filename string, password *sensitive.Sensitive) *KeyStore {
 	keyStore := &KeyStore{
 		Filename:     filename,
 		Password:     password,
@@ -65,7 +66,7 @@ func NewCMSKeyStore(filename, password string) *KeyStore {
 }
 
 // NewPKCS12KeyStore creates a new PKCS12 Key Store, managed by the runmqakm command
-func NewPKCS12KeyStore(filename, password string) *KeyStore {
+func NewPKCS12KeyStore(filename string, password *sensitive.Sensitive) *KeyStore {
 	keyStore := &KeyStore{
 		Filename:     filename,
 		Password:     password,
@@ -111,7 +112,7 @@ func (ks *KeyStore) Create() error {
 	}
 
 	// Create the keystore now we're sure it doesn't exist
-	out, _, err := command.Run(ks.command, "-keydb", "-create", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password, "-stash")
+	out, _, err := command.Run(ks.command, "-keydb", "-create", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password.String(), "-stash")
 	if err != nil {
 		return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out)
 	}
@@ -126,7 +127,7 @@ func (ks *KeyStore) CreateStash() error {
 	_, err := os.Stat(stashFile)
 	if err != nil {
 		if os.IsNotExist(err) {
-			out, _, err := command.Run(ks.command, "-keydb", ks.getFipsEnabledFlag(), "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
+			out, _, err := command.Run(ks.command, "-keydb", ks.getFipsEnabledFlag(), "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password.String())
 			if err != nil {
 				return fmt.Errorf("error running \"%v -keydb -stashpw\": %v %s", ks.command, err, out)
 			}
@@ -137,8 +138,8 @@ func (ks *KeyStore) CreateStash() error {
 }
 
 // Import imports a certificate file in the keystore
-func (ks *KeyStore) Import(inputFile, password string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-import", ks.getFipsEnabledFlag(), "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)
+func (ks *KeyStore) Import(inputFile string, password *sensitive.Sensitive) error {
+	out, _, err := command.Run(ks.command, "-cert", "-import", ks.getFipsEnabledFlag(), "-file", inputFile, "-pw", password.String(), "-target", ks.Filename, "-target_pw", ks.Password.String(), "-target_type", ks.keyStoreType)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -import\": %v %s", ks.command, err, out)
 	}
@@ -147,7 +148,7 @@ func (ks *KeyStore) Import(inputFile, password string) error {
 
 // CreateSelfSignedCertificate creates a self-signed certificate in the keystore
 func (ks *KeyStore) CreateSelfSignedCertificate(label, dn, hostname string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-create", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-pw", ks.Password, "-label", label, "-dn", dn, "-san_dnsname", hostname, "-size 2048 -sig_alg sha512 -eku serverAuth")
+	out, _, err := command.Run(ks.command, "-cert", "-create", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-pw", ks.Password.String(), "-label", label, "-dn", dn, "-san_dnsname", hostname, "-size 2048 -sig_alg sha512 -eku serverAuth")
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -create\": %v %s", ks.command, err, out)
 	}
@@ -156,7 +157,7 @@ func (ks *KeyStore) CreateSelfSignedCertificate(label, dn, hostname string) erro
 
 // Add adds a CA certificate to the keystore
 func (ks *KeyStore) Add(inputFile, label string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-add", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile, "-label", label)
+	out, _, err := command.Run(ks.command, "-cert", "-add", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password.String(), "-file", inputFile, "-label", label)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
 	}
@@ -165,7 +166,7 @@ func (ks *KeyStore) Add(inputFile, label string) error {
 
 // Add adds a CA certificate to the keystore
 func (ks *KeyStore) AddNoLabel(inputFile string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-add", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password, "-file", inputFile)
+	out, _, err := command.Run(ks.command, "-cert", "-add", ks.getFipsEnabledFlag(), "-db", ks.Filename, "-type", ks.keyStoreType, "-pw", ks.Password.String(), "-file", inputFile)
 	if err != nil {
 		return fmt.Errorf("error running \"%v -cert -add\": %v %s", ks.command, err, out)
 	}
@@ -174,7 +175,7 @@ func (ks *KeyStore) AddNoLabel(inputFile string) error {
 
 // GetCertificateLabels returns the labels of all certificates in the key store
 func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
-	out, _, err := command.Run(ks.command, "-cert", "-list", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
+	out, _, err := command.Run(ks.command, "-cert", "-list", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password.String())
 	if err != nil {
 		return nil, fmt.Errorf("error running \"%v -cert -list\": %v %s", ks.command, err, out)
 	}
@@ -200,14 +201,14 @@ func (ks *KeyStore) RenameCertificate(from, to string) error {
 		// runmqakm can't handle certs with ' in them so just use capicmd
 		// Overriding gosec here as this function is in an internal package and only callable by our internal functions.
 		// #nosec G204
-		cmd := exec.Command("/opt/mqm/gskit8/bin/gsk8capicmd_64", "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password, "-label", from, "-new_label", to)
+		cmd := exec.Command("/opt/mqm/gskit8/bin/gsk8capicmd_64", "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password.String(), "-label", from, "-new_label", to)
 		cmd.Env = append(os.Environ(), "LD_LIBRARY_PATH=/opt/mqm/gskit8/lib64/:/opt/mqm/gskit8/lib")
 		out, err := cmd.CombinedOutput()
 		if err != nil {
 			return fmt.Errorf("error running \"%v -cert -rename\": %v %s", "/opt/mqm/gskit8/bin/gsk8capicmd_64", err, out)
 		}
 	} else {
-		out, _, err := command.Run(ks.command, "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password, "-label", from, "-new_label", to)
+		out, _, err := command.Run(ks.command, "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password.String(), "-label", from, "-new_label", to)
 		if err != nil {
 			return fmt.Errorf("error running \"%v -cert -rename\": %v %s", ks.command, err, out)
 		}
@@ -218,7 +219,7 @@ func (ks *KeyStore) RenameCertificate(from, to string) error {
 
 // ListAllCertificates Lists all certificates in the keystore
 func (ks *KeyStore) ListAllCertificates() ([]string, error) {
-	out, _, err := command.Run(ks.command, "-cert", "-list", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
+	out, _, err := command.Run(ks.command, "-cert", "-list", ks.getFipsEnabledFlag(), "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password.String())
 	if err != nil {
 		return nil, fmt.Errorf("error running \"%v -cert -list\": %v %s", ks.command, err, out)
 	}

internal/securityutility/securityutility.go

@@ -24,22 +24,30 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/ibm-messaging/mq-container/internal/sensitive"
 )
 
 // EncodeSecrets takes a secret/password as an input and encodes the password using securityUtility
 // and returns the encoded password
-func EncodeSecrets(secret string) (string, error) {
+func EncodeSecrets(secret *sensitive.Sensitive) (string, error) {
 	_, err := os.Stat("/opt/mqm/web/bin/securityUtility")
 	if err != nil && os.IsNotExist(err) {
 		return "", err
 	}
-	if len(secret) > 256 {
-		return "", fmt.Errorf("length of password is greater than the maximum length of 256 characters, length of password is %d", len(secret))
+	if secret.Len() > 256 {
+		return "", fmt.Errorf("length of password is greater than the maximum length of 256 characters, length of password is %d", secret.Len())
+	}
+	script := []byte("source setmqenv -s;/opt/mqm/web/bin/server; /opt/mqm/web/bin/securityUtility encode --encoding=aes ")
+	scriptSecret := sensitive.New(script)
+	err = scriptSecret.Append(secret)
+	if err != nil {
+		return "", err
 	}
 	// Set the java environment required for running securityUtility tool and then run the securityUtility tool
 	// to encode the password using "aes" encoding
 	// #nosec G204
-	cmd := exec.Command("/bin/sh", "-c", "source setmqenv -s;/opt/mqm/web/bin/server; /opt/mqm/web/bin/securityUtility encode --encoding=aes "+secret)
+	cmd := exec.Command("/bin/sh", "-c", scriptSecret.String())
 	cmd.Env = os.Environ()
 	cmd.Env = append(cmd.Env, "JAVA_HOME=/opt/mqm/java/jre64/jre")
 

internal/sensitive/sensitive.go

@@ -0,0 +1,98 @@
+/*
+© Copyright IBM Corporation 2025
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sensitive
+
+import (
+	"runtime"
+	"unsafe"
+)
+
+// Sensitive ensures that memory used for sensitive strings/byte buffers is cleared (overwritten with zeroes) after garbage collection occurs
+type Sensitive struct {
+	*meta
+}
+
+type meta struct {
+	buf []byte
+	pin *runtime.Pinner
+}
+
+// New creates a new Sensitive object
+//
+// NOTE: Ownership of the buffer should transfer to the Sensitive object and the buffer passed should not continue to be used by the caller
+func New(buf []byte) *Sensitive {
+	s := &Sensitive{}
+	s.setMeta(buf)
+	return s
+}
+
+// Write appends the byte slice to the underlying buffer.
+// If the buffer needs to grow and is moved, the original location will be zeroed as part of the Write call.
+func (s *Sensitive) Write(b []byte) error {
+	newBuf := append(s.buf, b...)
+	if &newBuf[0] != &s.buf[0] {
+		// buffer starts at a new address - must have moved to a new memory block
+		zeroMeta(s.meta)
+		s.setMeta(newBuf)
+		return nil
+	}
+	// buffer hasn't moved, don't zero out current buffer as it's still in use, but do update the buffer to capture new length etc.
+	s.buf = newBuf
+	return nil
+}
+
+func (s Sensitive) Len() int {
+	return len(s.buf)
+}
+
+func (s *Sensitive) Append(other *Sensitive) error {
+	return s.Write(other.buf)
+}
+
+// Clear triggers an immediate clear of the underlying buffer without waiting for garbage collection to occur
+func (s *Sensitive) Clear() {
+	zeroMeta(s.meta)
+}
+
+// String returns a string that points to the underlying managed buffer
+//
+// NOTE: if the Sensitive object is garbage collected, or Clear() is called, this string will be zeroed even if it remains in scope
+func (s *Sensitive) String() string {
+	// #nosec G103 - unsafe package is required in order to prevent memory copy during type conversion to string
+	return unsafe.String(unsafe.SliceData(s.meta.buf), len(s.buf))
+}
+
+// setMeta creates a new metadata object, pinning its location in memory and registering finalizers to zero the underlying buffer on garbage collection
+func (s *Sensitive) setMeta(buf []byte) {
+	m := &meta{
+		buf: buf,
+		pin: &runtime.Pinner{},
+	}
+	m.pin.Pin(&buf)
+	s.meta = m
+	runtime.SetFinalizer(m, zeroMeta)
+}
+
+// zeroMeta zeroes the underlying buffer and removes all finalizers and memory pins
+func zeroMeta(m *meta) {
+	for i := range len(m.buf) {
+		m.buf[i] = 0
+	}
+	runtime.KeepAlive(m.buf)
+	m.pin.Unpin()
+	runtime.SetFinalizer(m, nil)
+}