binance-exchange / binance-java-api

binance-java-api is a lightweight Java library for the Binance API, supporting synchronous and asynchronous requests, as well as event streaming using WebSockets.
MIT License
830 stars 622 forks source link

Secret key should be stored as a byte[] #402

Open antlen opened 3 years ago

antlen commented 3 years ago

https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx

However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords.

antlen commented 3 years ago

There is no real need to store a secret key as a String as Binance just needs the byte[] to create the SecretKeySpec. Added to this, a lot of developers will store their private key in a java keystore and when the key is loaded from the keystore it will be in a byte[]. So the the ideal scenario is to load the key as byte[] from the keystore and pass to binance to create the SecretKeySpec from the byte[]. In this flow the secret key never needs to be stored as a String for the lifetime of the application.

char[] keystorePassword; // ="xxxxx"; KeyStore keystore = KeyStore.getInstance("JCEKS"); keystore.load(new FileInputStream(ATH), password); Key k = keystore.getKey("BinanceSecretKey", password); SecretKeySpec secret = new SecretKeySpec(k.getEncoded(),"AES"); BinanceApiClientFactory factory = BinanceApiClientFactory.newInstance(apiKey, secret.getEncoded());