[jira] [Commented] (MNG-5583) Better PKCS12 and/or PKCS11 support

Wed, 06 May 2020 08:51:42 -0700 


    [ 
https://issues.apache.org/jira/browse/MNG-5583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17100919#comment-17100919
 ] 

Michael Osipov commented on MNG-5583:
-------------------------------------

Both works. I have already implemented both with HttpClient. It simply a chore, 
design and implementation.

> Better PKCS12 and/or PKCS11 support
> -----------------------------------
>
>                 Key: MNG-5583
>                 URL: https://issues.apache.org/jira/browse/MNG-5583
>             Project: Maven
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.1.1
>         Environment: Any multi-user environment, especially Unix/Linux 
> environments.
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
>
> Maven supports dependency resolution through HTTPS with client-authentication 
> (documented MNG-1560), via JSSE system properties on the java command-line. 
> These can be configured in the environment of the process that launches Maven 
> as 
> [MAVEN_OPTS|https://maven.apache.org/guides/mini/guide-repository-ssl.html], 
> which can be made relatively secure.
> However, eventually, when the mvn bootstrap script starts Maven's java 
> process, these options are placed on the command line for java. This is 
> extremely problematic, because it means that any JSSE properties with 
> sensitive information (javax.net.ssl.keyStorePassword, for example) are 
> visible in the process list to any user of the system. This is explicitly 
> [advised against by 
> Java|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
>  but appears to be the only way to pass this information to Maven.
> Maven can do a better job of prompting for, or configuring, passphrases for 
> keyStores and trustStores. It already has the ability to configure server 
> credentials in the settings.xml file, protected with a master passphrase read 
> from a different file 
> ([~/.m2/settings-security.xml|https://maven.apache.org/guides/mini/guide-encryption.html]).
>  This would work for JKS and PKCS12 keystores today, if there were a way to 
> configure the passphrases there instead of in MAVEN_OPTS.
> Another option would be to support PKCS11 keystores, configured via the 
> current JSSE system properties. However, to do this, Maven needs to 
> instantiate the SSL configuration in the http client with an AuthProvider and 
> a callback handler which prompts for the PKCS11 pin/passphrase.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to