security issues when using opensource certificate

Question

security issues when using opensource certificate

fabOnReact opened this issue 4 years ago · 3 comments

Describe the feature request

using mock-server node without exposing myself to men in the middle attacks.

I quote https://www.mock-server.com/mock_server/HTTPS_TLS.html

If the configuration setting dynamicallyCreateCertificateAuthorityCertificate is not enabled, and your OS trusts the MockServer CA X.509, then this would leave your machine open to man-in-the-middle attacks because the corresponding Private Key is in the MockServer github repository. This would allow hackers to compromise all sensitive communicates such as to your bank or other sensitive sites.

What you are trying to do
run mock-server-node in the command line using dinamic Certificate. My grunt file:

module.exports = function(grunt) {
  grunt.initConfig({
    start_mockserver: {
      options: {
        serverPort: 1080,
        trace: true,
        jvmOptions: "-Dmockserver.dynamicallyCreateCertificateAuthorityCertificate=true -Dmockserver.directoryToSaveDynamicSSLCertificate=/home/fabrizio/Desktop/mockserver"
        }
      },
      stop_mockserver: {
        options: {
          serverPort: 1080
          }
        }
      });
  grunt.loadNpmTasks('mockserver-node');
};

The result is no private key generated in /home/fabrizio/Desktop/mockserver and the mockserver uses the key from the github opensource repo https://github.com/mock-server/mockserver/blob/master/mockserver-core/src/main/resources/org/mockserver/socket/PKCS8CertificateAuthorityPrivateKey.pem

2020-11-30 17:44:10 5.11.2 FINEST loaded dynamic CA private key from path         
                                                                                  
  org/mockserver/socket/PKCS8CertificateAuthorityPrivateKey.pem            
                                                                                  
 PEM                                                                              
                                                                           
  -----BEGIN PRIVATE KEY-----                                                     
  MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDxjka3ZME2NR9X                
  b0D2GgPkaQ/qUm7Lx07VElOh+zUEtqrtabBOkxBtnxPlW9ECF5Hh/o4ys3H8xxgq                
  SFP9KkAruEVcnKyFuAgnV45fk9y+AtCN0ZiDHIk4oOanAL2PT+W0AHVg5FN+mBqw                                                                                                   
  oxml90JZ3RsQ/TPe+CXaVSuHKhcnOjeIADp8rN7kvDDJkh040xQIEf1hXiYnIkJ2                
  pfmcuGRdseugnYzfoT/HIdsh/wgcK0gXNGXh9n5W2BoJIdz8ChKgE6oVWvpn7eHQ                
  q76gcBoQU58xBliv6q5fcQeJk7OBkP2eRPK185b6Ss1SW3wx36lc4BcOH0BRldFz                
  C0ysrzl9AgMBAAECggEAAr70TNdnXt9huNO58FJBYxJSrP485jIg0klADCJX6vLM                
  pKBD8dC4KhbZ2gyeJqDv9pq3MRpbHF2DB9AErGcTjautliztxSNfbFsRckKzCrHr                
  fwE3852abbteg919SijFWrN6ohxWWqUOAJ4KB5n09iKOUTYfpdQ6Ue4P7Zxr4PVB                
  zvwLsDjZvco2q6DkKuoO5pLUaUxSeuATtnikOcfZxM+lefdemN0CpgbVZ4xtyefp                
  kENYaWL3NygSPL422+kdcD0ori/TZpKDua2c/AbsBSOPku5wYHIjYi6gKNwaT17D                                                                                                   
  M+E8tudk5j9cX6C1/tyOHHHVM20C0gtbAxHaiYGA3QKBgQD5g7GaE7ykaPJ2hSNG                
  ++nMMzMWdxMe6bm2kcMWeVWkQiy8SbK530ul7o3dDb3vWCrfyFcTfq+ZCg7pDw8A                                                                                                   
  szwm9F7ay1Yr8FXKn4A557EFBolZpugajCA+BDvC39DslOgTD8+IOyRql41C6/32
  aQ+2H9mu9HBXCr/o1UG00q/5YwKBgQD31Z/VlGS6x2abDUKUVDM5LqY1j6r5xUrK
  7rrJkKHJ2F7xnsmkiDNoAf2uOhw2i7/9CXvYJlNnJducmFRJK5rxu/63ddQnVDrd
  vZiQL1Qy6aIqkVRt8XHXrVTDoyRO1kygzNjc26yI8Zk/JmwVkPS6MmRWfJL+N//P
  urK0l6nnnwKBgHog2bd+3aDjtXoJpMDD4SYQEXt3gSZqZHpWUlUXwrGJqnfm4tJT
  16U6ZLnEVilm0GWEnApwweZ4o9+zfTZshI7UofEaAe2zz2pEM/Ej1OOO1X/KUGVe
  HRH95Hp4Lrz+DbH21S/rMuHxmDUfaclIl2YfpN8byjjwjAqdB3JIhdXdAoGAHwz5
  yJWeBTTEazq/E7x06n4ovt8wKbkJROGiL2zaiGJ+isE9PEsAPdC6CuEm9cKOnFJa
  3Nr4ahz5JeaD8OLwt8a5BB1UJlVMRsnhWndDkllpQvIQZPHyNHZ3/0bqXqJE2YSw
  ywMO292BOMNEmXMe5lE39woGlKlJeKpIh43U8LsCgYAKl7GlVA547z0975B2nv4a
  YeWzt20plkSyENv2V65DVogY0lKNpMNgttH0+UkZkJ03jFQ8n7EaKzwKhVxhvcg0
  tHXNTuAECG7uhT4aLjBUA4KTMNFjsDrSM5RnvM86U6noIrNl0UirJsrIzX/FiBd4
  B00j3wnIg+Ix1l+X44GneQ==
  -----END PRIVATE KEY-----

The solution you'd like
my impression is that the cli utility used by node does not support the dynamicallyCreateCertificateAuthorityCertificate option

https://www.mock-server.com/mock_server/running_mock_server.html#running_from_command_line_using_java

or it is not documented, additionally I could not identify errors in the log files.

Describe alternatives you've considered
I consider this a feature request, as by my understanding this functionality is not included in this library and their dependencies.
I tried to use the cli utility, but the option is not available or documented.
I am not expert in your project so it is hard for me to find a solution for this issue. I would be thankful if you could help me finding a solution. Thanks

Answer 1 · 2020-12-01T10:01:27.000Z

mock-server/mockserver-client-node#63

Answer 2 · 2022-01-21T07:02:37.000Z

This is related to #28 because multiple JVM options were not honoured that has now been fixed so believe this should now be fixed as well but I'll double check.

Answer 3 · 2022-01-21T11:54:54.000Z

I now even further improved the handling of jvmOptions so either arrays or a single string are now supported. This will be released in next few weeks.