Skip to content

AWSCredentials destruction #3764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kai-ion wants to merge 3 commits into
base: main
Choose a base branch
from
+119 −0
Open

AWSCredentials destruction #3764

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6535794
init
kai-ion Mar 27, 2026
f794d4e
copy and move constructor
kai-ion Mar 27, 2026
8e08158
reuse the existing securememclear function
kai-ion Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 119 additions & 0 deletions src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentials.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
#include <aws/core/client/UserAgent.h>
#include <aws/core/utils/memory/stl/AWSString.h>
#include <aws/core/utils/DateTime.h>
#include <aws/core/platform/Security.h>
namespace Aws
{
namespace Auth
Expand Down Expand Up @@ -98,6 +99,104 @@ namespace Aws
m_expiration(expiration),
m_accountId(accountId) {}

/**
* Copy constructor.
*/
AWSCredentials(const AWSCredentials& other)
: m_accessKeyId(other.m_accessKeyId),
m_secretKey(other.m_secretKey),
m_sessionToken(other.m_sessionToken),
m_expiration(other.m_expiration),
m_accountId(other.m_accountId),
m_context(other.m_context)
{
}

/**
* Move constructor.
*/
AWSCredentials(AWSCredentials&& other) noexcept
: m_accessKeyId(std::move(other.m_accessKeyId)),
m_secretKey(std::move(other.m_secretKey)),
m_sessionToken(std::move(other.m_sessionToken)),
m_expiration(std::move(other.m_expiration)),
m_accountId(std::move(other.m_accountId)),
m_context(std::move(other.m_context))
{
}

/**
* Destructor that securely clears sensitive credential data from memory.
*/
~AWSCredentials()
{
// Securely clear sensitive credential data
if (!m_secretKey.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_secretKey[0]), m_secretKey.size());
}
if (!m_sessionToken.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_sessionToken[0]), m_sessionToken.size());
}
}

/**
* Copy assignment operator that securely clears old credential data before assignment.
*/
AWSCredentials& operator=(const AWSCredentials& other)
{
if (this != &other)
{
// Clear old sensitive data before overwriting
if (!m_secretKey.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_secretKey[0]), m_secretKey.size());
}
if (!m_sessionToken.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_sessionToken[0]), m_sessionToken.size());
}

// Copy all members
m_accessKeyId = other.m_accessKeyId;
m_secretKey = other.m_secretKey;
m_sessionToken = other.m_sessionToken;
m_expiration = other.m_expiration;
m_accountId = other.m_accountId;
m_context = other.m_context;
}
return *this;
}

/**
* Move assignment operator that securely clears old credential data before assignment.
*/
AWSCredentials& operator=(AWSCredentials&& other) noexcept
{
if (this != &other)
{
// Clear old sensitive data before overwriting
if (!m_secretKey.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_secretKey[0]), m_secretKey.size());
}
if (!m_sessionToken.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_sessionToken[0]), m_sessionToken.size());
}

// Move all members
m_accessKeyId = std::move(other.m_accessKeyId);
m_secretKey = std::move(other.m_secretKey);
m_sessionToken = std::move(other.m_sessionToken);
m_expiration = std::move(other.m_expiration);
m_accountId = std::move(other.m_accountId);
m_context = std::move(other.m_context);
}
return *this;
}

bool operator == (const AWSCredentials& other) const
{
return m_accessKeyId == other.m_accessKeyId
Expand Down Expand Up @@ -184,6 +283,11 @@ namespace Aws
*/
inline void SetAWSSecretKey(const Aws::String& secretKey)
{
// Clear old value before setting new one
if (!m_secretKey.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_secretKey[0]), m_secretKey.size());
}
m_secretKey = secretKey;
}

Expand All @@ -192,6 +296,11 @@ namespace Aws
*/
inline void SetSessionToken(const Aws::String& sessionToken)
{
// Clear old value before setting new one
if (!m_sessionToken.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_sessionToken[0]), m_sessionToken.size());
}
m_sessionToken = sessionToken;
}

Expand All @@ -217,6 +326,11 @@ namespace Aws
*/
inline void SetAWSSecretKey(const char* secretKey)
{
// Clear old value before setting new one
if (!m_secretKey.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_secretKey[0]), m_secretKey.size());
}
m_secretKey = secretKey;
}

Expand All @@ -225,6 +339,11 @@ namespace Aws
*/
inline void SetSessionToken(const char* sessionToken)
{
// Clear old value before setting new one
if (!m_sessionToken.empty())
{
Aws::Security::SecureMemClear(reinterpret_cast<unsigned char*>(&m_sessionToken[0]), m_sessionToken.size());
}
m_sessionToken = sessionToken;
}

Expand Down
Loading