Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] QuicServerConnector severe security issue


if i read the code of the QuicServerConnector (Version 10.0.9) correct than the decrypted plain private key is stored on the filesystem.
This is an absolute no go.

Gruß Thomas Lußnig


            char[] keyStorePassword = this.sslContextFactory.getKeyStorePassword().toCharArray();             String keyManagerPassword = this.sslContextFactory.getKeyManagerPassword();             SSLKeyPair keyPair = new SSLKeyPair(this.sslContextFactory.getKeyStoreResource().getFile(),                     this.sslContextFactory.getKeyStoreType(), keyStorePassword, alias,                     keyManagerPassword == null ? keyStorePassword : keyManagerPassword.toCharArray());             File[] pemFiles = keyPair.export(new File(System.getProperty("")));
            this.privateKeyFile = pemFiles[0];
            this.certificateChainFile = pemFiles[1];

Back to the top