Merge pull request #543 from jtnord/JENKINS-73335

[JENKINS-73335] add support for PEM encoded certificate (and key)
jenkinsci · Jul 12, 2024 · fee6b09 · fee6b09
2 parents 56f5ca3 + e2d2a4e
commit fee6b09
Show file tree

Hide file tree

Showing 12 changed files with 606 additions and 105 deletions.
diff --git a/pom.xml b/pom.xml
@@ -88,6 +88,7 @@
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
         <artifactId>bom-2.426.x</artifactId>
+        <!-- when updating remove the bouncycastle-api override -->
         <version>2961.v1f472390972e</version>
         <scope>import</scope>
         <type>pom</type>
@@ -105,7 +106,11 @@
       <artifactId>configuration-as-code</artifactId>
       <optional>true</optional>
     </dependency>
-
+    <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>bouncycastle-api</artifactId>
+        <version>2.30.1.78.1-246.ve1089fe22055</version>
+    </dependency>
     <!-- test dependencies -->
     <dependency>
       <groupId>org.mockito</groupId>

diff --git a/src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java b/src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java
diff --git a/...s/plugins/credentials/impl/CertificateCredentialsImpl/PEMEntryKeyStoreSource/config.jelly b/...s/plugins/credentials/impl/CertificateCredentialsImpl/PEMEntryKeyStoreSource/config.jelly
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<?jelly escape-by-default='true'?>
+<!--
+ ~ The MIT License
+ ~
+ ~ Copyright (c) 2024, CloudBees, Inc.
+ ~
+ ~ Permission is hereby granted, free of charge, to any person obtaining a copy
+ ~ of this software and associated documentation files (the "Software"), to deal
+ ~ in the Software without restriction, including without limitation the rights
+ ~ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ ~ copies of the Software, and to permit persons to whom the Software is
+ ~ furnished to do so, subject to the following conditions:
+ ~
+ ~ The above copyright notice and this permission notice shall be included in
+ ~ all copies or substantial portions of the Software.
+ ~
+ ~ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ ~ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ ~ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ ~ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ ~ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ ~ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ ~ THE SOFTWARE.
+ -->
+
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
+   <f:entry title="Certificates" field="certChain">
+        <f:secretTextarea />
+    </f:entry>
+    <f:entry title="Private key" field="privateKey">
+        <f:secretTextarea />
+    </f:entry>
+</j:jelly>
diff --git a/...ns/credentials/impl/CertificateCredentialsImpl/PEMEntryKeyStoreSource/help-certChain.html b/...ns/credentials/impl/CertificateCredentialsImpl/PEMEntryKeyStoreSource/help-certChain.html
@@ -0,0 +1,37 @@
+<!--
+# The MIT License
+#
+# Copyright (c) 2024, CloudBees
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+-->
+
+<div>
+    A certificate chain containing one or more PEM encoded certificates. 
+    The certificates must be in order such that each one directly certifies the preceding one.
+    The certificate, for which the private key will be entered below must appear first.
+    <p>The entry should look something like the following:</p>
+    <pre>
+-----BEGIN CERTIFICATE----- 
+Base64 encoded contents 
+-----END CERTIFICATE----- 
+-----BEGIN CERTIFICATE----- 
+Base64 encoded contents  
+-----END CERTIFICATE----</pre>
+</div>
diff --git a/...s/credentials/impl/CertificateCredentialsImpl/PEMEntryKeyStoreSource/help-privateKey.html b/...s/credentials/impl/CertificateCredentialsImpl/PEMEntryKeyStoreSource/help-privateKey.html
@@ -0,0 +1,32 @@
+<!--
+# The MIT License
+#
+# Copyright (c) 2024, CloudBees
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+-->
+
+<div>
+    A single PEM encoded private key that is the key for the primary certificate entered above. 
+    <p>The entry should look something like the following:</p>
+    <pre>
+-----BEGIN PRIVATE KEY----- 
+Base64 encoded contents 
+-----END PRIVATE KEY----- </pre>
+</div>
diff --git a/...s/plugins/credentials/impl/CertificateCredentialsImpl/UploadedKeyStoreSource/config.jelly b/...s/plugins/credentials/impl/CertificateCredentialsImpl/UploadedKeyStoreSource/config.jelly
@@ -55,6 +55,11 @@
         uploadedCertFileInput.onchange = fileOnChange.bind(uploadedCertFileInput);
       }
       function fileOnChange() {
+        // only trigger validation if the PKCS12 upload is selected
+        var e = document.getElementById("${fileId}");
+        if (e.closest(".form-container").className.indexOf("-hidden") != -1) {
+            return
+        }
         try { // inspired by https://stackoverflow.com/a/754398
           var uploadedCertFileInputFile = uploadedCertFileInput.files[0];
           var reader = new FileReader();

diff --git a/...urces/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl/credentials.jelly b/...urces/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl/credentials.jelly
@@ -37,7 +37,7 @@
     </j:choose>
   </f:entry>
   <f:entry title="${%Password}" field="password">
-    <f:password value="${instance==null || instance.passwordEmpty ? '' : instance.password}"/>
+    <f:password value="${instance==null || instance.passwordEmpty ? '' : instance.password}" />
   </f:entry>
   <st:include page="id-and-description" class="${descriptor.clazz}"/>
 </j:jelly>
diff --git a/src/main/resources/com/cloudbees/plugins/credentials/impl/Messages.properties b/src/main/resources/com/cloudbees/plugins/credentials/impl/Messages.properties
@@ -28,5 +28,19 @@ CertificateCredentialsImpl.LoadKeyFailed=Could retrieve key "{0}"
 CertificateCredentialsImpl.LoadKeyFailedQueryEmptyPassword=Could retrieve key "{0}". You may need to provide a password
 CertificateCredentialsImpl.LoadKeystoreFailed=Could not load keystore
 CertificateCredentialsImpl.NoCertificateUploaded=No certificate uploaded
-CertificateCredentialsImpl.UploadedKeyStoreSourceDisplayName=Upload PKCS#12 certificate
-
+CertificateCredentialsImpl.UploadedKeyStoreSourceDisplayName=Upload PKCS#12 certificate and key
+CertificateCredentialsImpl.PEMEntryKeyStoreSourceDisplayName=PEM encoded certificate and key
+CertificateCredentialsImpl.PEMNoCertificates=No certificates where provided
+CertificateCredentialsImpl.PEMNoKey=No key was provided
+CertificateCredentialsImpl.PEMNoPassword=No password was provided
+CertificateCredentialsImpl.ShortPassword=Password is short (< 14 characters)
+CertificateCredentialsImpl.ShortPasswordFIPS=Password is too short (< 14 characters)
+CertificateCredentialsImpl.NoPassword=Password is empty
+CertificateCredentialsImpl.PEMNoCertificate=No Certificates provided
+CertificateCredentialsImpl.PEMNonCertificates=PEM contains non certificate entries
+CertificateCredentialsImpl.PEMCertificateParsingError=Could not parse certificate chain: {0}
+CertificateCredentialsImpl.PEMNoKeys=No Keys Provided
+CertificateCredentialsImpl.PEMMultipleKeys=More than 1 key provided
+CertificateCredentialsImpl.PEMNonKeys=PEM contains non key entries
+CertificateCredentialsImpl.PEMKeyInfo={0} {1} private key
+CertificateCredentialsImpl.PEMKeyParseError=Could not parse key: {0}
diff --git a/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsCategoryTest.java b/src/test/java/com/cloudbees/plugins/credentials/casc/CredentialsCategoryTest.java
@@ -17,6 +17,7 @@
 import static io.jenkins.plugins.casc.misc.Util.toYamlString;
 import io.jenkins.plugins.casc.model.CNode;
 import java.io.ByteArrayOutputStream;
+
 import jenkins.model.GlobalConfiguration;
 import jenkins.model.GlobalConfigurationCategory;
 import static org.hamcrest.CoreMatchers.equalTo;
@@ -101,12 +102,13 @@ public void exportUsernamePasswordCredentialsImplConfiguration() throws Exceptio
 
     @Test
     public void exportCertificateCredentialsImplConfiguration() throws Exception {
+        byte[] p12Bytes = CertificateCredentialsImpl.class.getResourceAsStream("test.p12").readAllBytes();
         CertificateCredentialsImpl certificateCredentials =
                 new CertificateCredentialsImpl(CredentialsScope.GLOBAL,
                                                "credential-certificate",
                                                "Credential with certificate",
                                                "password",
-                                               new CertificateCredentialsImpl.UploadedKeyStoreSource(null, SecretBytes.fromBytes("Testing not real certificate".getBytes())));
+                                               new CertificateCredentialsImpl.UploadedKeyStoreSource(null, SecretBytes.fromBytes(p12Bytes)));
 
         SystemCredentialsProvider.getInstance().getCredentials().add(certificateCredentials);
         ByteArrayOutputStream out = new ByteArrayOutputStream();

diff --git a/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java b/src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java
@@ -26,57 +26,49 @@
 
 import com.cloudbees.hudson.plugins.folder.Folder;
 import com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider;
-import com.cloudbees.plugins.credentials.Credentials;
 import com.cloudbees.plugins.credentials.CredentialsNameProvider;
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.CredentialsStore;
 import com.cloudbees.plugins.credentials.SecretBytes;
-import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.cloudbees.plugins.credentials.common.CertificateCredentials;
 import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
-import com.cloudbees.plugins.credentials.domains.Domain;
 import org.htmlunit.FormEncodingType;
 import org.htmlunit.HttpMethod;
 import org.htmlunit.Page;
 import org.htmlunit.WebRequest;
 import org.htmlunit.html.DomNode;
 import org.htmlunit.html.DomNodeList;
+import org.htmlunit.html.HtmlButton;
 import org.htmlunit.html.HtmlElementUtil;
 import org.htmlunit.html.HtmlFileInput;
 import org.htmlunit.html.HtmlForm;
 import org.htmlunit.html.HtmlOption;
 import org.htmlunit.html.HtmlPage;
 import org.htmlunit.html.HtmlRadioButtonInput;
-import hudson.FilePath;
+
 import hudson.Util;
-import hudson.cli.CLICommandInvoker;
-import hudson.cli.UpdateJobCommand;
 import hudson.model.ItemGroup;
-import hudson.model.Job;
 import hudson.security.ACL;
 import hudson.util.Secret;
-import jenkins.model.Jenkins;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
-import org.jvnet.hudson.test.recipes.LocalData;
 
 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
+import java.security.KeyStore;
 import java.util.Base64;
-import java.util.Collections;
 import java.util.List;
 
-import static hudson.cli.CLICommandInvoker.Matcher.failedWith;
-import static hudson.cli.CLICommandInvoker.Matcher.succeeded;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.hasSize;
 import static org.junit.Assert.*;
@@ -91,10 +83,14 @@ public class CertificateCredentialsImplTest {
 
     private File p12;
     private File p12Invalid;
+    private String pemCert;
+    private String pemKey;
 
     private static final String VALID_PASSWORD = "password";
     private static final String INVALID_PASSWORD = "blabla";
     private static final String EXPECTED_DISPLAY_NAME = "EMAILADDRESS=me@myhost.mydomain, CN=pkcs12, O=Fort-Funston, L=SanFrancisco, ST=CA, C=US";
+    // BC uses a different format even though the file was converted from the pkcs12 file
+    private static final String EXPECTED_DISPLAY_NAME_PEM = "C=US,ST=CA,L=SanFrancisco,O=Fort-Funston,CN=pkcs12,E=me@myhost.mydomain";
 
     @Before
     public void setup() throws IOException {
@@ -103,6 +99,9 @@ public void setup() throws IOException {
         p12Invalid = tmp.newFile("invalid.p12");
         FileUtils.copyURLToFile(CertificateCredentialsImplTest.class.getResource("invalid.p12"), p12Invalid);
 
+        pemCert = IOUtils.toString(CertificateCredentialsImplTest.class.getResource("certs.pem"), StandardCharsets.UTF_8);
+        pemKey = IOUtils.toString(CertificateCredentialsImplTest.class.getResource("key.pem"), StandardCharsets.UTF_8);
+
         r.jenkins.setCrumbIssuer(null);
     }
 
@@ -212,7 +211,8 @@ public void doCheckUploadedKeystore_keyStoreInvalid() throws Exception {
     @Issue("JENKINS-63761")
     public void fullSubmitOfUploadedKeystore() throws Exception {
         String certificateDisplayName = r.jenkins.getDescriptor(CertificateCredentialsImpl.class).getDisplayName();
-
+        String KeyStoreSourceDisplayName = r.jenkins.getDescriptor(CertificateCredentialsImpl.UploadedKeyStoreSource.class).getDisplayName();
+
         JenkinsRule.WebClient wc = r.createWebClient();
         HtmlPage htmlPage = wc.goTo("credentials/store/system/domain/_/newCredentials");
         HtmlForm newCredentialsForm = htmlPage.getFormByName("newCredentials");
@@ -234,9 +234,11 @@ public void fullSubmitOfUploadedKeystore() throws Exception {
             return false;
         });
         assertTrue("The Certificate option was not found in the credentials type select", optionFound);
-
-        HtmlRadioButtonInput keyStoreRadio = htmlPage.getDocumentElement().querySelector("input[name$=keyStoreSource]");
-        HtmlElementUtil.click(keyStoreRadio);
+
+        List<HtmlRadioButtonInput> inputs = htmlPage.getDocumentElement().
+                getByXPath("//input[contains(@name, 'keyStoreSource') and following-sibling::label[contains(.,'"+KeyStoreSourceDisplayName+"')]]");
+        assertThat("query should return only a singular input", inputs, hasSize(1));
+        HtmlElementUtil.click(inputs.get(0));
 
         HtmlFileInput uploadedCertFileInput = htmlPage.getDocumentElement().querySelector("input[type=file][name=uploadedCertFile]");
         uploadedCertFileInput.setFiles(p12);
@@ -258,6 +260,66 @@ public void fullSubmitOfUploadedKeystore() throws Exception {
         assertEquals(EXPECTED_DISPLAY_NAME, displayName);
     }
 
+    @Test
+    @Issue("JENKINS-73335")
+    public void fullSubmitOfUploadedPEM() throws Exception {
+        String certificateDisplayName = r.jenkins.getDescriptor(CertificateCredentialsImpl.class).getDisplayName();
+        String KeyStoreSourceDisplayName = r.jenkins.getDescriptor(CertificateCredentialsImpl.PEMEntryKeyStoreSource.class).getDisplayName();
+
+        JenkinsRule.WebClient wc = r.createWebClient();
+        HtmlPage htmlPage = wc.goTo("credentials/store/system/domain/_/newCredentials");
+        HtmlForm newCredentialsForm = htmlPage.getFormByName("newCredentials");
+
+        DomNodeList<DomNode> allOptions = htmlPage.getDocumentElement().querySelectorAll("select.dropdownList option");
+        boolean optionFound = allOptions.stream().anyMatch(domNode -> {
+            if (domNode instanceof HtmlOption) {
+                HtmlOption option = (HtmlOption) domNode;
+                if (option.getVisibleText().equals(certificateDisplayName)) {
+                    try {
+                        HtmlElementUtil.click(option);
+                    } catch (IOException e) {
+                        throw new RuntimeException(e);
+                    }
+                    return true;
+                }
+            }
+
+            return false;
+        });
+        assertTrue("The Certificate option was not found in the credentials type select", optionFound);
+
+        List<HtmlRadioButtonInput> inputs = htmlPage.getDocumentElement().
+                getByXPath("//input[contains(@name, 'keyStoreSource') and following-sibling::label[contains(.,'"+KeyStoreSourceDisplayName+"')]]");
+        assertThat("query should return only a singular input", inputs, hasSize(1));
+        HtmlElementUtil.click(inputs.get(0));
+
+        // enable entry of the secret (HACK just click all the Add buttons)
+        List<HtmlButton> buttonsByName =  htmlPage.getDocumentElement().getByXPath("//button[contains(.,'Add')]");
+        assertThat("I need 2 buttons", buttonsByName, hasSize(2));
+        for (HtmlButton b : buttonsByName) {
+            HtmlElementUtil.click(b);
+        }
+
+        newCredentialsForm.getTextAreaByName("_.certChain").setTextContent(pemCert);
+        newCredentialsForm.getTextAreaByName("_.privateKey").setTextContent(pemKey);
+
+        // for all the types of credentials
+        newCredentialsForm.getInputsByName("_.password").forEach(input -> input.setValue(VALID_PASSWORD));
+
+        List<CertificateCredentials> certificateCredentials = CredentialsProvider.lookupCredentialsInItemGroup(CertificateCredentials.class, (ItemGroup<?>) null, ACL.SYSTEM2);
+        assertThat(certificateCredentials, hasSize(0));
+
+        r.submit(newCredentialsForm);
+
+        certificateCredentials = CredentialsProvider.lookupCredentialsInItemGroup(CertificateCredentials.class, (ItemGroup<?>) null, ACL.SYSTEM2);
+        assertThat(certificateCredentials, hasSize(1));
+
+        CertificateCredentials certificate = certificateCredentials.get(0);
+        KeyStore ks = certificate.getKeyStore();
+        String displayName = StandardCertificateCredentials.NameProvider.getSubjectDN(certificate.getKeyStore());
+        assertEquals(EXPECTED_DISPLAY_NAME_PEM, displayName);
+    }
+
     private String getValidP12_base64() throws Exception {
         return Base64.getEncoder().encodeToString(Files.readAllBytes(p12.toPath()));
     }