59 lines
1.7 KiB
Plaintext
59 lines
1.7 KiB
Plaintext
include::../../../shared_content/secrets/description.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../../../shared_content/secrets/rationale.adoc[]
|
|
|
|
=== What is the potential impact?
|
|
|
|
include::../../../shared_content/secrets/rationale.adoc[]
|
|
|
|
== How to fix it
|
|
|
|
include::../../../shared_content/secrets/fix/revoke.adoc[]
|
|
|
|
In most cases, if the key is used as part of a larger trust model (X509, PGP,
|
|
etc), it is necessary to issue and publish a revocation certificate. Doing so
|
|
will ensure that all people and assets that rely on this key for security
|
|
operations are aware of its compromise and stop trusting it.
|
|
|
|
include::../../../shared_content/secrets/fix/recent_use.adoc[]
|
|
|
|
include::../../../shared_content/secrets/fix/vault.adoc[]
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
private_key = "-----BEGIN EC PRIVATE KEY-----" \
|
|
"MF8CAQEEGEfVxjrMPigNhGP6DqH6DPeUZPbaoaCCXaAKBggqhkjOPQMBAaE0AzIA" \
|
|
"BCIxho34upZyXDi/AUy/TBisGeh4yKJN7pit9Z+nKs4QajVy97X8W9JdySlbWeRt" \
|
|
"2w==" \
|
|
"-----END EC PRIVATE KEY-----"
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=1,diff-type=compliant]
|
|
----
|
|
with open("/path/to/private.key","r") as key_file:
|
|
private_key = key_file.read()
|
|
----
|
|
|
|
//=== How does this work?
|
|
|
|
//=== Pitfalls
|
|
|
|
//=== Going the extra mile
|
|
|
|
== Resources
|
|
|
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|
|
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage[Mobile Top 10 2024 Category M1 - Improper Credential Usage]
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography]
|
|
|
|
//=== Benchmarks
|