eclipse.platform icon indicating copy to clipboard operation
eclipse.platform copied to clipboard
verified publisher icon eclipse-platform

Condensed Authentication bundle

Open JavaJoeS opened this issue 10 months ago • 7 comments

This security package contains functionality to allow for Client and/or Server Authentication using PKCS11 or PKCS12 keystores and JKS Truststores.

JavaJoeS avatar Feb 18 '25 11:02 JavaJoeS

@laeubi Pleasantly surprised, so few issues this go around. lol...

JavaJoeS avatar Feb 18 '25 11:02 JavaJoeS

@laeubi Pleasantly surprised, so few issues this go around. lol...

rofl lmao

Beside that, this is just a quick review if things that need to be done before more in deep review... IMHO!

laeubi avatar Feb 18 '25 11:02 laeubi

@laeubi I could expect nothing less. Everyone wants to be secure, but no one wants security!

JavaJoeS avatar Feb 18 '25 11:02 JavaJoeS

@sratz

FYI, when @HannesWell and I last talked with @JavaJoeS we strongly recommended that he get in contact with you because we don't know anyone who is qualified to review these low-level, security-related issues and I don't think we non-experts can move forward on technology where we do not understand fully the risks...

merks avatar Feb 18 '25 15:02 merks

@sratz Please contact me. Im in the process of doing updates as directed on this PR.

JavaJoeS avatar Feb 18 '25 15:02 JavaJoeS

I am not a security expert so do not consider myself qualified to review this code. Besides the security aspects it's

  • way too many magic numbers and magic strings
  • repeated code
  • no clear public API that I can see at first glance
  • way too much commented / unused / ... code
  • simply too much for me to review at this time

I also fail to understand what concrete problem this is going to solve.

My point of contact with this kind of certificate handling is many because of

  • https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/929
  • https://github.com/eclipse-packaging/packages/pull/224

i.e., to ensure that the basic functionality of installing/updating software / talking to outside world in general works well also in weird corporate environments. For that, my proposal would be a minimal solution of combining OS and JVM trust stores, not diving deeper into the security aspects.

I don't think this kind of complicated PCKS code belongs in the base platform as I believe it to be out of scope for an RCP platform.

Also, my personal experience is that the world is rather moving away from these kind of PKCS-based client/server authentication towards standards such as OAuth / OpenID Connect.

sratz avatar Feb 18 '25 15:02 sratz

https://www.forbes.com/councils/forbestechcouncil/2025/02/14/the-role-of-pki-in-non-human-identity-security-and-zero-trust/

JavaJoeS avatar Feb 18 '25 18:02 JavaJoeS