Zeroize data in private key construction (#4562)

gupnik · web-flow · commit 90d28e6eabc4 · 2025-11-13T14:15:56.000+05:30
diff --git a/src/PrivateKey.cpp b/src/PrivateKey.cpp
@@ -55,6 +55,12 @@ PrivateKey::PrivateKey(const Data& data, TWCurve curve) {
     _impl = Rust::wrapTWPrivateKey(privkey);
 }
 
+PrivateKey::PrivateKey(const std::string& data, TWCurve curve) {
+    auto bytes = TW::data(data);
+    *this = PrivateKey(bytes, curve);
+    memzero(bytes.data(), bytes.size());
+}
+
 PrivateKey::PrivateKey(
     const Data& key1, const Data& extension1, const Data& chainCode1,
     const Data& key2, const Data& extension2, const Data& chainCode2,
diff --git a/src/PrivateKey.h b/src/PrivateKey.h
@@ -50,7 +50,7 @@ class PrivateKey {
 
     /// Initializes a private key from a string of bytes and a curve.
     /// Signing functions will throw an exception if the provided curve is different from the one specified.
-    explicit PrivateKey(const std::string& data, TWCurve curve) : PrivateKey(TW::data(data), curve) {}
+    explicit PrivateKey(const std::string& data, TWCurve curve);
 
     /// Initializes a Cardano style key with a specified curve.
     /// Signing functions will throw an exception if the provided curve is different from the one specified.
