[jira] (MNG-5583) Better PKCS12 and/or PKCS11 support

Mon, 10 Feb 2014 11:16:34 -0800 

Christopher Tubbs created MNG-5583:
--------------------------------------

             Summary: Better PKCS12 and/or PKCS11 support
                 Key: MNG-5583
                 URL: https://jira.codehaus.org/browse/MNG-5583
             Project: Maven 2 & 3
          Issue Type: Improvement
          Components: General
    Affects Versions: 3.1.1
         Environment: Any multi-user environment, especially Unix/Linux 
environments.
            Reporter: Christopher Tubbs


Maven supports dependency resolution through HTTPS with client-authentication 
(documented MNG-1560), via JSSE system properties on the java command-line. 
These can be configured in the environment of the process that launches Maven 
as [MAVEN_OPTS|http://maven.apache.org/guides/mini/guide-repository-ssl.html], 
which can be made relatively secure.

However, eventually, when the mvn bootstrap script starts Maven's java process, 
these options are placed on the command line for java. This is extremely 
problematic, because it means that any JSSE properties with sensitive 
information (javax.net.ssl.keyStorePassword, for example) are visible in the 
process list to any user of the system. This is explicitly [advised against by 
Java|http://download.java.net/jdk8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
 but appears to be the only way to pass this information to Maven.

Maven can do a better job of prompting for, or configuring, passphrases for 
keyStores and trustStores. It already has the ability to configure server 
credentials in the settings.xml file, protected with a master passphrase read 
from a different file 
([~/.m2/settings-security.xml|http://maven.apache.org/guides/mini/guide-encryption.html]).
 This would work for JKS and PKCS12 keystores today, if there were a way to 
configure the passphrases there instead of in MAVEN_OPTS.

Another option would be to support PKCS11 keystores, configured via the current 
JSSE system properties. However, to do this, Maven needs to instantiate the SSL 
configuration in the http client with an AuthProvider and a callback handler 
which prompts for the PKCS11 pin/passphrase.



--
This message was sent by Atlassian JIRA
(v6.1.6#6162)

Reply via email to