Skip to content

Commit

Permalink
[JENKINS-73334] Block the use of PKCS#12 when in FIPS mode
Browse files Browse the repository at this point in the history 
PKCS#12 is not FIPS compliant as such we need to block these certificate
uploades when in FIPS mode.
  • Loading branch information
@jtnord
jtnord committed Jun 20, 2024
1 parent 5e08c0a commit ac377cd
Showing 1 changed file with 25 additions and 2 deletions.
27 changes: 25 additions & 2 deletions src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@
import java.util.logging.Logger;

import jenkins.model.Jenkins;
import jenkins.security.FIPS140;
import net.jcip.annotations.GuardedBy;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.lang.StringUtils;
Expand Down Expand Up @@ -404,7 +405,7 @@ private Object readResolve() {
}

/**
* Let the user reference an uploaded file.
* Let the user reference an uploaded PKCS12 file.
*/
public static class UploadedKeyStoreSource extends KeyStoreSource implements Serializable {
/**
Expand Down Expand Up @@ -435,6 +436,7 @@ public static class UploadedKeyStoreSource extends KeyStoreSource implements Ser
@SuppressWarnings("unused") // by stapler
@Deprecated
public UploadedKeyStoreSource(String uploadedKeystore) {
ensureNotRunningInFIPSMode();
this.uploadedKeystoreBytes = StringUtils.isBlank(uploadedKeystore)
? null
: SecretBytes.fromBytes(DescriptorImpl.toByteArray(Secret.fromString(uploadedKeystore)));
Expand All @@ -449,6 +451,7 @@ public UploadedKeyStoreSource(String uploadedKeystore) {
@SuppressWarnings("unused") // by stapler
@Deprecated
public UploadedKeyStoreSource(@CheckForNull SecretBytes uploadedKeystore) {
ensureNotRunningInFIPSMode();
this.uploadedKeystoreBytes = uploadedKeystore;
}

Expand All @@ -461,6 +464,7 @@ public UploadedKeyStoreSource(@CheckForNull SecretBytes uploadedKeystore) {
@SuppressWarnings("unused") // by stapler
@DataBoundConstructor
public UploadedKeyStoreSource(FileItem uploadedCertFile, @CheckForNull SecretBytes uploadedKeystore) {
ensureNotRunningInFIPSMode();
if (uploadedCertFile != null) {
byte[] fileBytes = uploadedCertFile.get();
if (fileBytes.length != 0) {
Expand All @@ -478,6 +482,7 @@ public UploadedKeyStoreSource(FileItem uploadedCertFile, @CheckForNull SecretByt
* @since 2.1.5
*/
private Object readResolve() throws ObjectStreamException {
ensureNotRunningInFIPSMode();
if (uploadedKeystore != null && uploadedKeystoreBytes == null) {
return new UploadedKeyStoreSource(SecretBytes.fromBytes(DescriptorImpl.toByteArray(uploadedKeystore)));
}
Expand Down Expand Up @@ -526,13 +531,31 @@ public String toString() {
return "UploadedKeyStoreSource{uploadedKeystoreBytes=******}";
}

/*
* Prevents the use of any direct usage of the class when running in FIPS mode as PKCS12 is not compliant.
*/
private static void ensureNotRunningInFIPSMode() {
if (FIPS140.useCompliantAlgorithms()) {
throw new IllegalStateException("UploadedKeyStoreSource is not compliant with FIPS-140 and can not be used when Jenkins is in FIPS mode. " +
"This is an error in the calling code and an issue should be filed against the plugin that is calling to adapt to become FIPS compliant.");
}
}

/**
* {@inheritDoc}
*/
@Extension
public static class DescriptorImpl extends KeyStoreSourceDescriptor {
public static final String DEFAULT_VALUE = UploadedKeyStoreSource.class.getName() + ".default-value";

/**
* Creates the extension if we are not in FIPS mode, do <em>NOT</em> call this directly!
*/
@Restricted(NoExternalUse.class)
@Extension
public static DescriptorImpl extension() {
return FIPS140.useCompliantAlgorithms() ? null : new DescriptorImpl();
}

/**
* Decode the {@link Base64} keystore wrapped in a {@link Secret}.
*
Expand Down

0 comments on commit ac377cd

Please sign in to comment.