Mask challenge password after it has been read

This commit is contained in:
Herman Slatman 2021-04-16 14:09:34 +02:00
parent 0487686f69
commit 9787728fbd
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F

View file

@ -20,6 +20,8 @@ type SCEP struct {
Options *Options `json:"options,omitempty"`
Claims *Claims `json:"claims,omitempty"`
claimer *Claimer
secretChallengePassword string
}
// GetID returns the provisioner unique identifier.
@ -73,6 +75,10 @@ func (s *SCEP) Init(config Config) (err error) {
return err
}
// Mask the actual challenge value, so it won't be marshalled
s.secretChallengePassword = s.ChallengePassword
s.ChallengePassword = "*** redacted ***"
// TODO: add other, SCEP specific, options?
return err
@ -95,7 +101,7 @@ func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
// GetChallengePassword returns the challenge password
func (s *SCEP) GetChallengePassword() string {
return s.ChallengePassword
return s.secretChallengePassword
}
// GetCapabilities returns the CA capabilities