You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Christopher Cain <cc...@mhsoftware.com> on 2001/08/14 01:13:57 UTC

getKeystorePass() method?

I'm in the process of cleaning up the 4.0 SSLServerSocketFactory, and it
occurs to me that I find the getKeystorePass method offensive. There
should never be any reason to retrieve the keystore password once it's
set, and it makes me uncomfortable having the method there. I'm not sure
if it could somehow be called from a webapp, but it could certainly be
called from a malicious module. Even simpler, a single startup class
could be modified to echo the password to either sysout or a logfile. If
I'm working on a module to allow administrators to remove the password
from server.xml, this method becomes a security hole.

Anyone care if I remove this method? It's not currently being called
from anywhere, and I can't think of a legitimate use for it. There
should never be a way to display passwords in any system.

Can I fix this in 3.3 as well?

Your resident paranoid security freak,

Christopher

Re: getKeystorePass() method?

Posted by Christopher Cain <cc...@mhsoftware.com>.

Jonathan Cobb wrote:
> 
> [snip]
>
> I think the idea of removing passwords from config files, or at least
> having the option to do so, is a great one.  Keep us posted on the
> status of your module. :)

Will do. Actually, the general feeling at this point is step back and
implement a more comprehensive solution to ALL external resource
security. This would include SSL keystore passwords, JDBC Realm
passwords, LDAP, etc. Users would then have the option of removing _all_
sensitive data from the config files, and instead having them stored in
an encrypted respository. I had hoped to have an unofficial, stopgap SSL
prompter in the meantime, but the changes required to the container
itself initially proved to be to involved just to get one single hack.

Larry Isaacs and I have been trying to get a generic module for
SSL-prompting up and running for the 3.3 space, and he's recently come
up with a rather clever idea for the startup integration conundrum. I'm
in the process of trying to integrate his solution with my command-line
utility in order to provide a temporary solution for SSL security in the
3.3 space, so if you're running Tomcat 3.3 and are concerned about the
keystore password in particular, you may have a temporary workaround
soon. Aside from that, I'd like to see the comprehensive external
security module (codename LitterBox) in a stable state within the next
thirty days or so. A few people have expressed an interest in
contributing to it, so I think that timeframe is doable. I'll keey you
posted =)

Regards,

Christopher

Re: getKeystorePass() method?

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Tue, 14 Aug 2001, Jonathan Cobb wrote:

> Craig R. McClanahan wrote:
> 
> >On Mon, 13 Aug 2001, Christopher Cain wrote:
> >
> >>I'm in the process of cleaning up the 4.0 SSLServerSocketFactory, and it
> >>occurs to me that I find the getKeystorePass method offensive. There
> >>should never be any reason to retrieve the keystore password once it's
> >>set, and it makes me uncomfortable having the method there. I'm not sure
> >>if it could somehow be called from a webapp,
> >>
> >It cannot.
> >
> Correct me if I am wrong, but this is because the classes used by each 
> webapp are loaded by a webapp-specific classloader, right?
> 

That's part of the reason an app cannot do this.  The more important
reason is that SSLServerSocketFactory (and all the other Catalina internal
classes) are loaded from a class loader that is *not* in the hierarchy
visible to web apps.  The only internal classes that a web app sees are
the facade objects around the Servlet APIs (such as the class that
implements HttpServletRequest).

> >>but it could certainly be
> >>called from a malicious module.
> >>
> >It can.
> >
> And again, this is correct because the malicious module would be loaded 
> by the same classloader used to load the tomcat core classes, right?
> 

Yes.  Classes loaded from the internal class loader (including
valves) have pretty much free rein inside the server.

> >>I'm working on a module to allow administrators to remove the password
> >>from server.xml, this method becomes a security hole.
> >>
> I think the idea of removing passwords from config files, or at least 
> having the option to do so, is a great one.  Keep us posted on the 
> status of your module. :)
> 
> >>There
> >>should never be a way to display passwords in any system.
> >>
> Agreed, *especially* in the case of plaintext passwords.
> 
> 
>   - jonathan.
> 
> 
> 
Craig

Re: getKeystorePass() method?

Posted by Jonathan Cobb <jo...@covalent.net>.

Craig R. McClanahan wrote:

>On Mon, 13 Aug 2001, Christopher Cain wrote:
>
>>I'm in the process of cleaning up the 4.0 SSLServerSocketFactory, and it
>>occurs to me that I find the getKeystorePass method offensive. There
>>should never be any reason to retrieve the keystore password once it's
>>set, and it makes me uncomfortable having the method there. I'm not sure
>>if it could somehow be called from a webapp,
>>
>It cannot.
>
Correct me if I am wrong, but this is because the classes used by each 
webapp are loaded by a webapp-specific classloader, right?

>>but it could certainly be
>>called from a malicious module.
>>
>It can.
>
And again, this is correct because the malicious module would be loaded 
by the same classloader used to load the tomcat core classes, right?

>>I'm working on a module to allow administrators to remove the password
>>from server.xml, this method becomes a security hole.
>>
I think the idea of removing passwords from config files, or at least 
having the option to do so, is a great one.  Keep us posted on the 
status of your module. :)

>>There
>>should never be a way to display passwords in any system.
>>
Agreed, *especially* in the case of plaintext passwords.


  - jonathan.

Re: getKeystorePass() method?

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Mon, 13 Aug 2001, Christopher Cain wrote:

> I'm in the process of cleaning up the 4.0 SSLServerSocketFactory, and it
> occurs to me that I find the getKeystorePass method offensive. There
> should never be any reason to retrieve the keystore password once it's
> set, and it makes me uncomfortable having the method there. I'm not sure
> if it could somehow be called from a webapp,

It cannot.

> but it could certainly be
> called from a malicious module.

It can.

> Even simpler, a single startup class
> could be modified to echo the password to either sysout or a logfile. If
> I'm working on a module to allow administrators to remove the password
> from server.xml, this method becomes a security hole.
> 

Let me double check that there's no dependencies in the J2EE RI -- I don't
think there are, but ...

> Anyone care if I remove this method? It's not currently being called
> from anywhere, and I can't think of a legitimate use for it. There
> should never be a way to display passwords in any system.
> 
> Can I fix this in 3.3 as well?
> 
> Your resident paranoid security freak,
> 
> Christopher
> 

Craig