Menu
▾
▴
[Ejbca-develop] Allow to modify the built-in password encryption key?
|
From: Jaime H. E. <hab...@gm...> - 2017-03-21 17:45:59
|
I'm looking that EJBCA is currently hardcoding the password encryption key
in org.cesecore.util.StringTools:
...
private static final char[] p = deobfuscate("
*OBF:1m0r1kmo1ioe1ia01j8z17y41l0q1abo1abm1abg1abe1kyc17ya1j631i5y1ik01kjy1lxf*
").toCharArray();
...
But, why don't you allow it to be overrided from configuration files?, this
way, encrypted auto-activation passwords would be more secure for the ones
aware of the possibility to override the default encryption key.
Finally and just for reference, take a look at the following similar
mechanism (where users are even forced to change the encryption
key/password) in a completely different framework,
https://www.playframework.com/documentation/2.5.x/ApplicationSecret (the
first paragraph suffices).
--
Jaime Hablutzel - RPC 994690880
|
