This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 170650 - Support for overall keystore password for Java Card projects
Summary: Support for overall keystore password for Java Card projects
Status: RESOLVED FIXED
Alias: None
Product: javacard
Classification: Unclassified
Component: Java Card (show other bugs)
Version: 6.x
Hardware: All All
: P3 blocker (vote)
Assignee: _ tboudreau
URL:
Keywords:
Depends on:
Blocks: 170646 170656
  Show dependency tree
 
Reported: 2009-08-19 17:32 UTC by _ tboudreau
Modified: 2009-08-31 20:26 UTC (History)
1 user (show)

See Also:
Issue Type: ENHANCEMENT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description _ tboudreau 2009-08-19 17:32:17 UTC 
Java card projects use a keystore for signing.  Keystores may have an overall password.  There needs to be a field in the security customizer for this info.

This raises a security issue:  Open questions - Anki, please clarify.  Do we:
1. Store the password in the clear in project.properties (will be shared in version control and can be read by anyone who checks the project out or gets its 
source code)
2.  Store the password with breakable obfuscation in project.properties - i.e. base64 or something (will be shared in version control and can be read by 
anyone who checks the project out or gets its source code)
3.  Store the password with strong encryption in project.properties - (will be shared in version control and can be read by anyone who checks the project 
out or gets its source code) -however, the private key will need to be embedded in NetBeans and available to Ant tasks, so this is just obfuscation - 
somebody who really wants to can find the key
4. Store the password in the clear in nbproject/private/private.properties (will NOT be shared in version control, but anyone who wants to build the project 
needs to get the password from someone else or change the keystore used).  Someone with access to the machine w/ the password will be able to read the 
password.
5. Store the password with breakable obfuscation in nbproject/private/private.properties (will NOT be shared in version control, but anyone who wants to 
build the project needs to get the password from someone else or change the keystore used).  Someone with access to the machine w/ the password will 
be able to copy the munged password.
Comment 1 _ tboudreau 2009-08-27 16:40:18 UTC 
Fixed in changeset 250b7f20de16 - build-script support (issue 171017 pending).
Comment 2 Quality Engineering 2009-08-31 20:26:14 UTC 
Integrated into 'main-golden', will be available in build *200908311509* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/250b7f20de16
User: Tim Boudreau <tboudreau@netbeans.org>
Log: #170647, #170650, #170652 - project properties support for keystore alias and master/alias password.  Build script support pending.