[ 
https://issues.apache.org/jira/browse/MNG-5583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16862405#comment-16862405
 ] 

Michael Osipov commented on MNG-5583:
-------------------------------------

Is this one still relevant. I just started last week using PKCS12 keystores 
with the HttpClient and it works out of the box. What one could do right now is 
to use the private key path for SSH as the path to the keystore. The passphrase 
would open up the store and the password would be the one for the one. The 
username would be the alias. Also we need some hint that X.509 based auth is 
required. Would you like to explore this with me?

> Better PKCS12 and/or PKCS11 support
> -----------------------------------
>
>                 Key: MNG-5583
>                 URL: https://issues.apache.org/jira/browse/MNG-5583
>             Project: Maven
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.1.1
>         Environment: Any multi-user environment, especially Unix/Linux 
> environments.
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
>
> Maven supports dependency resolution through HTTPS with client-authentication 
> (documented MNG-1560), via JSSE system properties on the java command-line. 
> These can be configured in the environment of the process that launches Maven 
> as 
> [MAVEN_OPTS|http://maven.apache.org/guides/mini/guide-repository-ssl.html], 
> which can be made relatively secure.
> However, eventually, when the mvn bootstrap script starts Maven's java 
> process, these options are placed on the command line for java. This is 
> extremely problematic, because it means that any JSSE properties with 
> sensitive information (javax.net.ssl.keyStorePassword, for example) are 
> visible in the process list to any user of the system. This is explicitly 
> [advised against by 
> Java|http://download.java.net/jdk8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization],
>  but appears to be the only way to pass this information to Maven.
> Maven can do a better job of prompting for, or configuring, passphrases for 
> keyStores and trustStores. It already has the ability to configure server 
> credentials in the settings.xml file, protected with a master passphrase read 
> from a different file 
> ([~/.m2/settings-security.xml|http://maven.apache.org/guides/mini/guide-encryption.html]).
>  This would work for JKS and PKCS12 keystores today, if there were a way to 
> configure the passphrases there instead of in MAVEN_OPTS.
> Another option would be to support PKCS11 keystores, configured via the 
> current JSSE system properties. However, to do this, Maven needs to 
> instantiate the SSL configuration in the http client with an AuthProvider and 
> a callback handler which prompts for the PKCS11 pin/passphrase.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to