[
https://issues.apache.org/jira/browse/MNG-5583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov closed MNG-5583.
-------------------------------
Resolution: Auto Closed
This issue has been auto closed because it has been inactive for a long period
of time. If you think this issue still applies, retest your problem with the
most recent version of Maven and the affected component, reopen and post your
results.
> Better PKCS12 and/or PKCS11 support
> -----------------------------------
>
> Key: MNG-5583
> URL: https://issues.apache.org/jira/browse/MNG-5583
> Project: Maven
> Issue Type: Improvement
> Components: General
> Affects Versions: 3.1.1
> Environment: Any multi-user environment, especially Unix/Linux
> environments.
> Reporter: Christopher Tubbs
> Priority: Major
>
> Maven supports dependency resolution through HTTPS with client-authentication
> (documented MNG-1560), via JSSE system properties on the java command-line.
> These can be configured in the environment of the process that launches Maven
> as
> [MAVEN_OPTS|http://maven.apache.org/guides/mini/guide-repository-ssl.html],
> which can be made relatively secure.
> However, eventually, when the mvn bootstrap script starts Maven's java
> process, these options are placed on the command line for java. This is
> extremely problematic, because it means that any JSSE properties with
> sensitive information (javax.net.ssl.keyStorePassword, for example) are
> visible in the process list to any user of the system. This is explicitly
> [advised against by
> Java|http://download.java.net/jdk8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
> but appears to be the only way to pass this information to Maven.
> Maven can do a better job of prompting for, or configuring, passphrases for
> keyStores and trustStores. It already has the ability to configure server
> credentials in the settings.xml file, protected with a master passphrase read
> from a different file
> ([~/.m2/settings-security.xml|http://maven.apache.org/guides/mini/guide-encryption.html]).
> This would work for JKS and PKCS12 keystores today, if there were a way to
> configure the passphrases there instead of in MAVEN_OPTS.
> Another option would be to support PKCS11 keystores, configured via the
> current JSSE system properties. However, to do this, Maven needs to
> instantiate the SSL configuration in the http client with an AuthProvider and
> a callback handler which prompts for the PKCS11 pin/passphrase.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
