Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle BC-FIPS related exception and propagate exception causes #155

Merged
merged 1 commit into from
Jul 5, 2024
Merged

Handle BC-FIPS related exception and propagate exception causes #155

merged 1 commit into from
Jul 5, 2024

Conversation

jtnord
Copy link
Member

@jtnord jtnord commented Jul 5, 2024

When testing with BC-FIPS PEMEncodeable was failing in some unexpected ways.

in the first if we could not convert due to a PKCSException or InvalidKeySpecException then the cause was logged and a new exception without details was thrown. This means the underlying cause is lost when using any exception in a FormValidation.

In the second case when using a key that had too short of salt an org.bouncycastle.crypto.fips.FipsUnapprovedOperationError was thrown which being an error would ripple up and cause an unexpected error.

We now catch this error and wrap it in an UnrecoverableKeyException so it can be handled by the caller

2024-07-05 13:45:23.137+0000 [id=18]    WARNING o.e.j.s.h.ContextHandler$Context#log: Error while serving http://myJenkins//manage/descriptorByName/com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource/checkPrivateKey
org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: salt must be at least 128 bits
        at org.bouncycastle.crypto.fips.FipsPBKD$Parameters.<init>(Unknown Source)
        at org.bouncycastle.crypto.fips.FipsPBKD$Parameters.withSalt(Unknown Source)
        at org.bouncycastle.jcajce.provider.ProvPBEPBKDF2$BasePBKDF2.engineGenerateSecret(Unknown Source)
        at java.base/javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:334)
        at org.bouncycastle.pkcs.jcajce.JcePKCSPBEInputDecryptorProviderBuilder$1.get(Unknown Source)
        at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
        at jenkins.bouncycastle.api.PEMEncodable.convertedPemToPemDecodable(PEMEncodable.java:226)
        at jenkins.bouncycastle.api.PEMEncodable.decodeAll(PEMEncodable.java:201)
        at com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource$DescriptorImpl.doCheckPrivateKey(CertificateCredentialsImpl.java:776)

Testing done

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@jtnord jtnord requested a review from a team as a code owner July 5, 2024 14:23
@jtnord jtnord added the bug label Jul 5, 2024
jtnord
jtnord commented Jul 5, 2024
View reviewed changes
src/main/java/jenkins/bouncycastle/api/PEMEncodable.java
throw new AssertionError(
"RSA algorithm support is mandated by Java Language Specification. See https://docs.oracle.com/javase/7/docs/api/java/security/KeyFactory.html");
throw new IOException("Algorithm required for parsing is not implemented", e);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the key could be types other than RSA so this was not actually correct.

src/main/java/jenkins/bouncycastle/api/PEMEncodable.java
@@ -245,13 +244,23 @@ private static final PEMEncodable convertedPemToPemDecodable(Object object, char
+ object.getClass().getName());
}
} catch (PKCSException | InvalidKeySpecException e) {
LOGGER.log(Level.WARNING, "Could not read PEM encrypted information", e);
throw new UnrecoverableKeyException();
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this previously swallowed the reason why from the caller - let the caller log and handle all the information just as they would for the other exceptions

@jtnord
Handle BC-FIPS related exception and propagate exception causes
e306e53 
When testing with BC-FIPS PEMEncodeable was failing in some unexpected
ways.

in the first if we could not convert due to a PKCSException or InvalidKeySpecException
then the cause was logged and a new exception without details was thrown.
This means the underlying cause is lost when using any exception in a
FormValidation.

In the second case when using a key that had too short of salt an
org.bouncycastle.crypto.fips.FipsUnapprovedOperationError was thrown
which being an error would ripple up and cause an unexpected error.

We now catch this error and wrap it in an UnrecoverableKeyException so
it can be handled by the caller
@jtnord jtnord force-pushed the better-exception-handling branch from 2031aad to e306e53 Compare July 5, 2024 14:27
@jtnord jtnord merged commit e27176e into jenkinsci:master Jul 5, 2024
17 checks passed
@jtnord jtnord deleted the better-exception-handling branch July 5, 2024 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PereBueno PereBueno PereBueno approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jtnord @PereBueno