search

i2p / i2p.i2p

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.
https://geti2p.net
Other
2k stars 309 forks source link

Use of Hardcoded Credentials #66

Closed s-b-repo closed 11 months ago

s-b-repo commented 11 months ago

*/ public static KeyStore createKeyStore(File ksFile, String password) throws GeneralSecurityException, IOException { boolean exists = ksFile != null && ksFile.exists(); char[] pwchars = password != null ? password.toCharArray() : null;

Do not hardcode passwords in code. Found hardcoded password used in core/java/src/net/i2p/crypto/KeyStoreUtil.java#L155)

following lines 155,170,204,223,245,251,258,1021,1050,1152,1184,1209,1443,

DEFAULT_KEYSTORE_PASSWORD.toCharArray());

password.toCharArray() :

ksPW.toCharArray()

apps/i2pcontrol/java/net/i2p/i2pcontrol/security/SecurityManager.java#L43)



``` **
 * Manage the password storing for I2PControl.
 */
public class SecurityManager {
    public final static String DEFAULT_AUTH_PASSWORD = "itoopie";
eyedeekay commented 11 months ago

Not a bug. This is just a default password which is emitted to a default configuration file. The actual password is the one that is configured by the user in the configuration file. Also this is in an API which is confined to the localhost and off-by-default.