Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] QuicServerConnector severe security issue

Hi,

if i read the code of the QuicServerConnector (Version 10.0.9) correct than the decrypted plain private key is stored on the filesystem.
This is an absolute no go.

Gruß Thomas Lußnig

org.eclipse.jetty.quic.server.QuicServerConnector

    doStart()
            char[] keyStorePassword = this.sslContextFactory.getKeyStorePassword().toCharArray();             String keyManagerPassword = this.sslContextFactory.getKeyManagerPassword();             SSLKeyPair keyPair = new SSLKeyPair(this.sslContextFactory.getKeyStoreResource().getFile(),                     this.sslContextFactory.getKeyStoreType(), keyStorePassword, alias,                     keyManagerPassword == null ? keyStorePassword : keyManagerPassword.toCharArray());             File[] pemFiles = keyPair.export(new File(System.getProperty("java.io.tmpdir")));
            this.privateKeyFile = pemFiles[0];
            this.certificateChainFile = pemFiles[1];



Back to the top