From cf4a06a44a028c42d11b22340f6bc0cf20818f19 Mon Sep 17 00:00:00 2001
From: Ferdinand Schober <ferdinand.schober@fau.de>
Date: Fri, 27 Sep 2024 23:57:11 +0200
Subject: [PATCH] make private key file inaccessible to other users

---
 src/crypto.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/crypto.rs b/src/crypto.rs
index 4030940..f68459d 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -2,6 +2,9 @@ use std::io::{self, BufWriter, Read, Write};
 use std::path::Path;
 use std::{fs::File, io::BufReader};
 
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt;
+
 use sha2::{Digest, Sha256};
 use thiserror::Error;
 use webrtc_dtls::crypto::Certificate;
@@ -70,6 +73,13 @@ pub(crate) fn generate_key_and_cert(path: &Path) -> Result<Certificate, Error> {
     let cert = Certificate::generate_self_signed(["ignored".to_owned()])?;
     let serialized = cert.serialize_pem();
     let f = File::create(path)?;
+    #[cfg(unix)]
+    {
+        let mut perm = f.metadata()?.permissions();
+        perm.set_mode(0o400); /* r-- --- --- */
+        f.set_permissions(perm)?;
+    }
+    /* FIXME windows permissions */
     let mut writer = BufWriter::new(f);
     writer.write(serialized.as_bytes())?;
     Ok(cert)