1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache license, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the license for the specific language governing permissions and
15 * limitations under the license.
16 */
17 package org.apache.logging.log4j.core.net.ssl;
18
19 import java.util.Arrays;
20
21 /**
22 * Simple PasswordProvider implementation that keeps the password char[] array in memory.
23 * <p>
24 * This implementation is not very secure because the password data is resident in memory during the life of this
25 * provider object, giving attackers a large window of opportunity to obtain the password from a memory dump.
26 * A slightly more secure implementation is {@link EnvironmentPasswordProvider},
27 * and an even more secure implementation is {@link FilePasswordProvider}.
28 * </p>
29 */
30 class MemoryPasswordProvider implements PasswordProvider {
31 private final char[] password;
32
33 public MemoryPasswordProvider(final char[] chars) {
34 if (chars != null) {
35 password = chars.clone();
36 } else {
37 password = null;
38 }
39 }
40
41 @Override
42 public char[] getPassword() {
43 if (password == null) {
44 return null;
45 }
46 return password.clone();
47 }
48
49 public void clearSecrets() {
50 Arrays.fill(password, '\0');
51 }
52 }