security: CWE-377: Insecure tmp private keys — VC-53731

[torresashjiancyber]

Summary

Fixes CWE-377 (Insecure Temporary File) vulnerability in certificate issuance scripts that were writing private keys to /tmp with world-readable permissions.

Finding

The issue-cert.sh scripts in both projects/ccm-idp/ and projects/secrets-manager/ were creating private key files in predictable /tmp locations with default permissions (0644), allowing any local user to read the private keys before they were moved or deleted.

CVSS: 5.7 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

Remediation

Applied the following security hardening measures:

1. Set restrictive umask: Added umask 077 at script initialization to ensure all created files have 0600 permissions (readable/writable only by owner)
2. Secure temp directory creation: Replaced predictable /tmp/$cn and /tmp/${CERT_NAME} paths with mktemp -d for cryptographically secure temporary directory creation
3. Automatic cleanup: Added trap 'rm -rf "$tmp_dir"' EXIT to ensure temporary files are deleted on script exit (success or failure)

Verification

• No build or test infrastructure detected in repository
• Changes verified by code review
• Private keys now created with 0600 permissions in secure temporary directories
• Cleanup trap ensures no residual key material on disk