[
https://issues.apache.org/jira/browse/MNG-5583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17100919#comment-17100919
]
Michael Osipov edited comment on MNG-5583 at 5/6/20, 3:55 PM:
--------------------------------------------------------------
Both works. I have already implemented both with HttpClient. It is simply a
chore for design and implementation. See also here my answer:
https://stackoverflow.com/a/56451533/696632
was (Author: michael-o):
Both works. I have already implemented both with HttpClient. It simply a chore,
design and implementation. See also here my answer:
https://stackoverflow.com/a/56451533/696632
> Better PKCS12 and/or PKCS11 support
> -----------------------------------
>
> Key: MNG-5583
> URL: https://issues.apache.org/jira/browse/MNG-5583
> Project: Maven
> Issue Type: Improvement
> Components: General
> Affects Versions: 3.1.1
> Environment: Any multi-user environment, especially Unix/Linux
> environments.
> Reporter: Christopher Tubbs
> Priority: Major
> Labels: security-issue
>
> Maven supports dependency resolution through HTTPS with client-authentication
> (documented MNG-1560), via JSSE system properties on the java command-line.
> These can be configured in the environment of the process that launches Maven
> as
> [MAVEN_OPTS|https://maven.apache.org/guides/mini/guide-repository-ssl.html],
> which can be made relatively secure.
> However, eventually, when the mvn bootstrap script starts Maven's java
> process, these options are placed on the command line for java. This is
> extremely problematic, because it means that any JSSE properties with
> sensitive information (javax.net.ssl.keyStorePassword, for example) are
> visible in the process list to any user of the system. This is explicitly
> [advised against by
> Java|https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
> but appears to be the only way to pass this information to Maven.
> Maven can do a better job of prompting for, or configuring, passphrases for
> keyStores and trustStores. It already has the ability to configure server
> credentials in the settings.xml file, protected with a master passphrase read
> from a different file
> ([~/.m2/settings-security.xml|https://maven.apache.org/guides/mini/guide-encryption.html]).
> This would work for JKS and PKCS12 keystores today, if there were a way to
> configure the passphrases there instead of in MAVEN_OPTS.
> Another option would be to support PKCS11 keystores, configured via the
> current JSSE system properties. However, to do this, Maven needs to
> instantiate the SSL configuration in the http client with an AuthProvider and
> a callback handler which prompts for the PKCS11 pin/passphrase.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
