From 60dbb2039fd568679ab81455a9eb568de032e523 Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Mon, 11 May 2026 15:43:12 +0100 Subject: [PATCH] Exclude TLS key password from chaincode server log The constructor for the NettyGrpcServer implementation included an info level log of all of the chaincode server properties, including the TLS key password. While both the key and accompanying password are necessary to allow the chaincode server to be impersonated, an attacker with access to the chaincode server filesystem where the key is stored would likely also have access to the logs containing the key password. The password is sensitive information that should not be logged regardless. Signed-off-by: Mark S. Lewis --- .../main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java | 1 - 1 file changed, 1 deletion(-) diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java index 00e7c2ac..ac88b9a0 100644 --- a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java +++ b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/shim/NettyGrpcServer.java @@ -70,7 +70,6 @@ public NettyGrpcServer(final ChaincodeBase chaincodeBase, final ChaincodeServerP LOGGER.info("PermitKeepAliveTimeMinutes:" + chaincodeServerProperties.getPermitKeepAliveTimeMinutes()); LOGGER.info("KeepAliveTimeMinutes:" + chaincodeServerProperties.getKeepAliveTimeMinutes()); LOGGER.info("PermitKeepAliveWithoutCalls:" + chaincodeServerProperties.getPermitKeepAliveWithoutCalls()); - LOGGER.info("KeyPassword:" + chaincodeServerProperties.getKeyPassword()); LOGGER.info("KeyCertChainFile:" + chaincodeServerProperties.getKeyCertChainFile()); LOGGER.info("KeyFile:" + chaincodeServerProperties.getKeyFile()); LOGGER.info("isTlsEnabled:" + chaincodeServerProperties.isTlsEnabled());