Questions around using cert/key pair for TLS

[DGuhr]

Hey everyone,

while reading through the http reference, specifically about setting up HTTPS/TLS, I had some questions left which I hope to find an answer for here.

There is the sentence "Quarkus will first try to load the given files as resources, and uses the filesystem as a fallback" in 3.1 of the referenced article.

Here's where my questions start:

1. What exactly is meant by "load the given files as resources"? Could someone elaborate? Is it loaded into memory?

2. Under what exact circumstances does the filesystem fallback happen, and where does the generated keystore then rely in the filesystem? Can we manipulate this location?

3. When setting quarkus.http.ssl.certificate.key-store-password=your-password and using a cert / key pair, am I correct that this password is applied internally to the generated keystore?

I am asking bc. of curiosity, and bc. of a hypothetical situation like this:

Situation:
A keystore is generated in the file system at a default location, and a standard value is an insecure value like in "password", which is the current default.

Thought:
A potential attack vector may be (given you have access to the container/system in general, and yes I know this opens a whole lot of other doors, just for the sake of the hypthesis ) to search this generated keystore at the default location and try opening it using the default passwords value and thus getting access to potentially valuable certs/keys which could then be misused.

Thanks in advance.

brought over from https://groups.google.com/g/quarkus-dev/c/6q3PC36g1a0/m/CozK8-4lAgAJ?utm_medium=email&utm_source=footer (@maxandersen sry for the noise, you were right, this is a better place ;) )

[maxandersen]

Hi @DGuhr,

load as resources means attempted to load from the classloader. Meaning, delivered via a file inside the project or as a dependency.

fallback happens if the resource lookup fails (i.e. the path used does not exist)

the lookup is done based on current working directory of the java process. Thus you should be able to use absolute paths or relative ones.

For how the certificate key is exactly done @sberyozkin might know better than me?

[sberyozkin]

Hi @DGuhr, @maxandersen

Here are some comments

What exactly is meant by "load the given files as resources"?

Max has explained, it is looked at as a classpath resource first

and where does the generated keystore then rely in the filesystem?

When I looked at the code last time I don't think I saw the keystore being generated into the file system somewhere, it is kept in memory (internally by Vert.x) as far as I recall in this case when you do

quarkus.http.ssl.certificate.file=
quarkus.http.ssl.key.file=

If quarkus.http.ssl.certificate.key-store-file is set then yes, the password is really necessary, but with those properties, with the in-memory keystore, I guess the default password should be safe.

This doc section should be expanded with some clarifications. @cescoffier Hi Clement, can you comment a bit more please, I can follow up with updating the docs.

[DGuhr]

Thanks for your answer, that clarified a lot :)