Zeroing the Link Secret

[dbluhm]

I raised a question on Discord and it was recommended I raise it as an issue to track here. Original messasge pasted below:

I was reading through this issue https://github.com/hyperledger/anoncreds-rs/issues/194 and had a question:

With the link secret (formerly master secret) now being returned as just a plain old string value, should we be thinking about zeroing out memory where the secret was held? I'm not in the habit of thinking about this in python but that was perhaps one advantage of having the rust layer hold the value so that it could then zero the memory when it was released.

@blu3beri responded to my question on Discord indicating that zeroing the link secret is probably something we want to do but there are some complexities that arise from the fact that it's a BigNumber type from Ursa which doesn't implement zeroize.

[dbluhm]

Some input from @andrewwhitehead:

In python we actually use the buffer protocol to copy data from an indy-credx object to askar without leaving duplicates, but that's not always possible. For example: https://github.com/hyperledger/aries-cloudagent-python/blob/99b9e3713334c078212683c536277dc944025417/aries_cloudagent/indy/credx/holder.py#L84 raw_value is a memoryview object, which just references the buffer that will be zeroed

From what I understand, this means that the Python wrapper can pass around a value like the link secret without needing to copy the bytes out of the original buffer. As discussed on Discord, this means that, even though the link secret does need to be passed beyond the FFI boundary at least so the caller can store it in Askar or similar, this can be done in a way that the Rust layer can still effectively zeroize the link secret from memory.

Currently, the anoncreds-rs python wrapper will not accept a memoryview object for the link secret value in methods like process_credential and is strictly expecting a string value.