[jira] [Updated] (MNG-5583) Better PKCS12 and/or PKCS11 support

Sat, 17 Mar 2018 00:33:38 -0700 

     [ 
https://issues.apache.org/jira/browse/MNG-5583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christopher Tubbs updated MNG-5583:
-----------------------------------
    Labels: security-issue  (was: )

> Better PKCS12 and/or PKCS11 support
> -----------------------------------
>
>                 Key: MNG-5583
>                 URL: https://issues.apache.org/jira/browse/MNG-5583
>             Project: Maven
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.1.1
>         Environment: Any multi-user environment, especially Unix/Linux 
> environments.
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
>
> Maven supports dependency resolution through HTTPS with client-authentication 
> (documented MNG-1560), via JSSE system properties on the java command-line. 
> These can be configured in the environment of the process that launches Maven 
> as 
> [MAVEN_OPTS|http://maven.apache.org/guides/mini/guide-repository-ssl.html], 
> which can be made relatively secure.
> However, eventually, when the mvn bootstrap script starts Maven's java 
> process, these options are placed on the command line for java. This is 
> extremely problematic, because it means that any JSSE properties with 
> sensitive information (javax.net.ssl.keyStorePassword, for example) are 
> visible in the process list to any user of the system. This is explicitly 
> [advised against by 
> Java|http://download.java.net/jdk8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
>  but appears to be the only way to pass this information to Maven.
> Maven can do a better job of prompting for, or configuring, passphrases for 
> keyStores and trustStores. It already has the ability to configure server 
> credentials in the settings.xml file, protected with a master passphrase read 
> from a different file 
> ([~/.m2/settings-security.xml|http://maven.apache.org/guides/mini/guide-encryption.html]).
>  This would work for JKS and PKCS12 keystores today, if there were a way to 
> configure the passphrases there instead of in MAVEN_OPTS.
> Another option would be to support PKCS11 keystores, configured via the 
> current JSSE system properties. However, to do this, Maven needs to 
> instantiate the SSL configuration in the http client with an AuthProvider and 
> a callback handler which prompts for the PKCS11 pin/passphrase.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to