[JENKINS-73334] make plugin FIPS-140 compliant by blocking PKCS#12 certificates when in FIPS mode

src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java

@@ -59,6 +59,7 @@
 import java.util.logging.Logger;
 
 import jenkins.model.Jenkins;
+import jenkins.security.FIPS140;
 import net.jcip.annotations.GuardedBy;
 import org.apache.commons.fileupload.FileItem;
 import org.apache.commons.lang.StringUtils;
@@ -404,7 +405,7 @@ private Object readResolve() {
     }
 
     /**
-     * Let the user reference an uploaded file.
+     * Let the user reference an uploaded PKCS12 file.
      */
     public static class UploadedKeyStoreSource extends KeyStoreSource implements Serializable {
         /**
@@ -435,6 +436,7 @@ public static class UploadedKeyStoreSource extends KeyStoreSource implements Ser
         @SuppressWarnings("unused") // by stapler
         @Deprecated
         public UploadedKeyStoreSource(String uploadedKeystore) {
+            ensureNotRunningInFIPSMode();
             this.uploadedKeystoreBytes = StringUtils.isBlank(uploadedKeystore)
                     ? null
                     : SecretBytes.fromBytes(DescriptorImpl.toByteArray(Secret.fromString(uploadedKeystore)));
@@ -449,6 +451,7 @@ public UploadedKeyStoreSource(String uploadedKeystore) {
         @SuppressWarnings("unused") // by stapler
         @Deprecated
         public UploadedKeyStoreSource(@CheckForNull SecretBytes uploadedKeystore) {
+            ensureNotRunningInFIPSMode();
             this.uploadedKeystoreBytes = uploadedKeystore;
         }
 
@@ -461,6 +464,7 @@ public UploadedKeyStoreSource(@CheckForNull SecretBytes uploadedKeystore) {
         @SuppressWarnings("unused") // by stapler
         @DataBoundConstructor
         public UploadedKeyStoreSource(FileItem uploadedCertFile, @CheckForNull SecretBytes uploadedKeystore) {
+            ensureNotRunningInFIPSMode();
             if (uploadedCertFile != null) {
                 byte[] fileBytes = uploadedCertFile.get();
                 if (fileBytes.length != 0) {
@@ -478,6 +482,7 @@ public UploadedKeyStoreSource(FileItem uploadedCertFile, @CheckForNull SecretByt
          * @since 2.1.5
          */
         private Object readResolve() throws ObjectStreamException {
+            ensureNotRunningInFIPSMode();
             if (uploadedKeystore != null && uploadedKeystoreBytes == null) {
                 return new UploadedKeyStoreSource(SecretBytes.fromBytes(DescriptorImpl.toByteArray(uploadedKeystore)));
             }
@@ -526,13 +531,31 @@ public String toString() {
             return "UploadedKeyStoreSource{uploadedKeystoreBytes=******}";
         }
 
+        /*
+         * Prevents the use of any direct usage of the class when running in FIPS mode as PKCS12 is not compliant.
+         */
+        private static void ensureNotRunningInFIPSMode() {
+            if (FIPS140.useCompliantAlgorithms()) {
+                throw new IllegalStateException("UploadedKeyStoreSource is not compliant with FIPS-140 and can not be used when Jenkins is in FIPS mode. " +
+                                                "This is an error in the calling code and an issue should be filed against the plugin that is calling to adapt to become FIPS compliant.");
+            }
+        }
+
         /**
          * {@inheritDoc}
          */
-        @Extension
         public static class DescriptorImpl extends KeyStoreSourceDescriptor {
             public static final String DEFAULT_VALUE = UploadedKeyStoreSource.class.getName() + ".default-value";
 
+            /**
+             * Creates the extension if we are not in FIPS mode, do <em>NOT</em> call this directly!
+             */
+            @Restricted(NoExternalUse.class)
+            @Extension
+            public static DescriptorImpl extension() {
+                return FIPS140.useCompliantAlgorithms() ? null : new DescriptorImpl();
+            }
+
             /**
              * Decode the {@link Base64} keystore wrapped in a {@link Secret}.
              *

src/main/resources/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl/credentials.jelly

@@ -26,7 +26,15 @@
 
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler">
   <f:entry title="${%Certificate}" field="keyStoreSource">
-    <f:hetero-radio field="keyStoreSource" descriptors="${descriptor.getPropertyType('keyStoreSource').applicableDescriptors}"/>
+    <j:set var="keyStoreSourceDescriptors" value="${descriptor.getPropertyType('keyStoreSource').applicableDescriptors}"/>
+    <j:choose>
+        <j:when test="${keyStoreSourceDescriptors.isEmpty()}">
+            <div class="warning">Jenkins has no <code>KeyStoreSources</code> available, Certificate credentials will not be able to be created.</div>
+        </j:when>
+        <j:otherwise>
+            <f:hetero-radio field="keyStoreSource" descriptors="${keyStoreSourceDescriptors}"/>
+        </j:otherwise>
+    </j:choose>
   </f:entry>
   <f:entry title="${%Password}" field="password">
     <f:password value="${instance==null || instance.passwordEmpty ? '' : instance.password}"/>