maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov (JIRA)" <>
Subject [jira] [Reopened] (MNG-5583) Better PKCS12 and/or PKCS11 support
Date Tue, 07 Aug 2018 19:37:00 GMT


Michael Osipov reopened MNG-5583:

> Better PKCS12 and/or PKCS11 support
> -----------------------------------
>                 Key: MNG-5583
>                 URL:
>             Project: Maven
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.1.1
>         Environment: Any multi-user environment, especially Unix/Linux environments.
>            Reporter: Christopher Tubbs
>            Priority: Major
>              Labels: security-issue
> Maven supports dependency resolution through HTTPS with client-authentication (documented
MNG-1560), via JSSE system properties on the java command-line. These can be configured in
the environment of the process that launches Maven as [MAVEN_OPTS|],
which can be made relatively secure.
> However, eventually, when the mvn bootstrap script starts Maven's java process, these
options are placed on the command line for java. This is extremely problematic, because it
means that any JSSE properties with sensitive information (,
for example) are visible in the process list to any user of the system. This is explicitly
[advised against by Java|],
but appears to be the only way to pass this information to Maven.
> Maven can do a better job of prompting for, or configuring, passphrases for keyStores
and trustStores. It already has the ability to configure server credentials in the settings.xml
file, protected with a master passphrase read from a different file ([~/.m2/settings-security.xml|]).
This would work for JKS and PKCS12 keystores today, if there were a way to configure the passphrases
there instead of in MAVEN_OPTS.
> Another option would be to support PKCS11 keystores, configured via the current JSSE
system properties. However, to do this, Maven needs to instantiate the SSL configuration in
the http client with an AuthProvider and a callback handler which prompts for the PKCS11 pin/passphrase.

This message was sent by Atlassian JIRA

View raw message