Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-72249] switch to JcaContentSignerBuilder in order to obtain a ContentSigner #102

Merged
merged 1 commit into from Oct 31, 2023
Merged

[JENKINS-72249] switch to JcaContentSignerBuilder in order to obtain a ContentSigner #102

merged 1 commit into from Oct 31, 2023

Conversation

jtnord
Copy link
Member

@jtnord jtnord commented Oct 30, 2023
edited

JENKINS-72249 can not connect JNLP4 agents to controller with BC-FIPS configured

Switch implementation to use classes available in both regular and fips versions of bouncycastle.

AsymmetricKeyParameter was available in bcprov but not in bc-fips. JCAContentSignerBuilder is available in the regular bcpkix and bcpkix-fips.

The higher level API also has the benefit that the code becomes more legible.

Testing done

  • tested a snapshot of this in a clean non fips environment and provisioned a k8s based agent using JNLP4.

  • tested a snapshot of this PR in the environment that exhibited the issue and validated that k8s based JNLP4 agents can launch without issue after this change.

  • Additionally excluded the bouncycastle jars and substituted in the bc-fips variants, registered the provider in the tests and ran the tests that covered this area (mvn -Dtest=ReadWriteKeyTest InstanceIdentityTest).

expand to see the diff used 
diff --git a/pom.xml b/pom.xml
index 606eb3a..6e10a0e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -61,9 +61,33 @@
     </dependencies>
   </dependencyManagement>
   <dependencies>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bc-fips</artifactId>
+      <version>1.0.2.4</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-fips</artifactId>
+      <version>1.0.7</version>
+    </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>bouncycastle-api</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcpkix-jdk18on</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcprov-jdk18on</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcutil-jdk18on</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
   </dependencies>
 </project>
diff --git a/src/test/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentityTest.java b/src/test/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentityTest.java
index d7743ad..0cbd90f 100644
--- a/src/test/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentityTest.java
+++ b/src/test/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentityTest.java
@@ -31,7 +31,7 @@ import java.io.File;
 import java.io.FileInputStream;
 
 import static org.junit.Assert.*;
-
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;
@@ -39,6 +39,10 @@ import org.jvnet.hudson.test.recipes.LocalData;
 
 public class InstanceIdentityTest {
 
+    static {
+        java.security.Security.addProvider(new BouncyCastleFipsProvider());
+    }
+
     @Rule public JenkinsRule r = new JenkinsRule();
 
     private static final String TEST_IDENTITY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6R6FrlvuyBPstxHKCnRL+oKzEGlgGydD/1Tj/LhCAzgXKnJZFEvo3rrz8CqcWbW3gt04bNXcET9NvAATisR1KP2Zi3EUG/jsXy7q9tr9t0NVAgGC5i5MtU+VFo/te0xAou7nsGng6T/FCXCq1nSeBdfAEQ23+fwyNtJpSbP2EqOrycLox+Xh6M91rt1c3JEHEe/FIrD+NhHQ4m6R/HwWH6DDq8W7P8y9j9/ToVSBBZr0pRETBZre5nkJiwJ/EWnbjqqJ/LguOMTukxPXe8/b9CDFrkuzpYUn8ChtL0DDCE/SoI9jwBSXwj5kQyNoyC9sVrbmEbuAPZ2dRzcDen09CwIDAQAB";
diff --git a/src/test/java/org/jenkinsci/main/modules/instance_identity/ReadWriteKeyTest.java b/src/test/java/org/jenkinsci/main/modules/instance_identity/ReadWriteKeyTest.java
index 5ba9fcf..e3c0dda 100644
--- a/src/test/java/org/jenkinsci/main/modules/instance_identity/ReadWriteKeyTest.java
+++ b/src/test/java/org/jenkinsci/main/modules/instance_identity/ReadWriteKeyTest.java
@@ -35,8 +35,10 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.KeyPair;
+import java.security.Provider;
 import java.security.Security;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+//import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.jenkinsci.main.modules.instance_identity.pem.PEMHelper;
 import org.junit.BeforeClass;
 import org.junit.Rule;
@@ -45,6 +47,9 @@ import org.junit.rules.TemporaryFolder;
 
 public class ReadWriteKeyTest {
 
+    static {
+        java.security.Security.addProvider(new BouncyCastleFipsProvider());
+    }
     private static Path PEM_PCKS1_FILE;
     private static Path PEM_PCKS8_FILE;
     private static byte[] KEY_PRIVATE_ENCODED;
@@ -70,7 +75,7 @@ public class ReadWriteKeyTest {
                 .getClassLoader()
                 .getResource("private-key-public-encoded.bin")
                 .toURI()));
-        Security.addProvider(new BouncyCastleProvider());
+        //Security.addProvider(new BouncyCastleProvider());
     }
 
     @Test

Submitter checklist

Edit tasklist title
Beta Give feedback Tasklist Submitter checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
    Options
  2. Ensure that the pull request title represents the desired changelog entry
    Options
  3. Please describe what you did
    Options
  4. Link to relevant issues in GitHub or Jira
    Options
  5. Link to relevant pull requests, esp. upstream and downstream changes
    Options
  6. Ensure you have provided tests - that demonstrates feature works or fixes the issue
    Options

@jtnord
[JENKINS-72249] switch to JcaContentSignerBuilder in order to obtain …
2ea6579 
…a ContentSigner

Switch the implementation to JcaContentSignerBuilder which is available
in the regula bcpkix and bcpkix-fips

The higher level API also has the benifit that the code becomes more legible.
@jtnord jtnord requested review from olamy and a team October 30, 2023 13:34
timja
timja approved these changes Oct 30, 2023
View reviewed changes
Copy link
Member

@timja timja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

@jglick
Copy link
Member

jglick commented Oct 30, 2023

@jtnord would you like a release now, or are you waiting for a review from @olamy?

@jtnord
Copy link
Member Author

jtnord commented Oct 30, 2023

Thanks for asking @jglick.
I was giving @olamy chance to review as I'm not in a rush.
I should have write permissions here also to be able to merge.

olamy
olamy approved these changes Oct 31, 2023
View reviewed changes
Copy link
Member

@olamy olamy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jtnord jtnord merged commit 303dc7c into jenkinsci:master Oct 31, 2023
14 checks passed
@basil basil mentioned this pull request Oct 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olamy olamy olamy approved these changes

@timja timja timja approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
4 participants
@jtnord @jglick @olamy @timja