Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-73335] add support for PEM encoded certificate (and key) #543

Merged
merged 9 commits into from
Jul 12, 2024
Merged

[JENKINS-73335] add support for PEM encoded certificate (and key) #543

merged 9 commits into from
Jul 12, 2024

Conversation

jtnord
Copy link
Member

@jtnord jtnord commented Jun 24, 2024
edited
Loading

https://issues.jenkins.io/browse/JENKINS-73335

Testing done

Tested in a FIPS configured environment (e2e running Jenkins.war) and with mvn hpi:run in a regular dev environment.

tested both valid and invalid keys / password combinations and valid but not FIPS compliant keys.
FormValidation was working except https://issues.jenkins.io/browse/JENKINS-65616 and when regular textAreas where used for the secret (before switching to SecretTextArea for which https://issues.jenkins.io/browse/JENKINS-73404 has been raised)

introduced a new test to cover a happy case path usign the UI to enter a password protected key and cert.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

jtnord
jtnord commented Jun 24, 2024
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
@jtnord jtnord mentioned this pull request Jul 4, 2024
Merged
6 tasks
jtnord added 4 commits July 5, 2024 17:01
@jtnord
[JENKINS-73335] add support for certificates that are not PKCS12 form…
462e240 
…atted

Provides an alternative method for entering Certificate credentials,
required when running in FIPS as we can not use PKCS12
@jtnord
Switch from file upload to user entry
44569cb 
As PEMs are not binary files but tet encoding it makes more sense to
have users enter them.

Additionally feedback is that user normally manage the certificate chain
and keys separately
@jtnord
switch to the exepcted SecretTextArea
a6e3457 
Now that formvalidation has been manually tested swap back to
SecretTextArea

The formValidation won't work pending JENKINS-73404 (and to some extent
JENKINS-65616) but once they are fixed will magically start working
@jtnord
pick up release of bouncycastle-api
a43b0b7
@jtnord jtnord marked this pull request as ready for review July 5, 2024 16:07
@jtnord jtnord requested a review from a team as a code owner July 5, 2024 16:07
jtnord
jtnord commented Jul 5, 2024
View reviewed changes
...bees/plugins/credentials/impl/CertificateCredentialsImpl/UploadedKeyStoreSource/config.jelly
@@ -55,6 +55,11 @@
uploadedCertFileInput.onchange = fileOnChange.bind(uploadedCertFileInput);
}
function fileOnChange() {
// only trigger validation if the PKCS12 upload is selected
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as there is more than one option, only trigger this validation if this descriptor is chosen.

src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java Outdated Show resolved Hide resolved
@jtnord jtnord marked this pull request as draft July 5, 2024 16:15
jtnord added a commit to jtnord/bom that referenced this pull request Jul 8, 2024
@jtnord
precheck jenkinsci/credentials-plugin#543
57ac942
This was referenced Jul 8, 2024
Merged
Merged
jtnord added a commit to jtnord/pipeline-model-definition-plugin that referenced this pull request Jul 8, 2024
@jtnord
use valid password for test code
ddcd2cd 
amends jenkinsci#723 that was working as the KeyStore was not validated.

However jenkinsci/credentials-plugin#543 now
validates the keystore and hence this test started failing as the
password did not match
@jtnord jtnord mentioned this pull request Jul 8, 2024
Merged
@jtnord jtnord marked this pull request as ready for review July 12, 2024 13:16
@jtnord jtnord merged commit fee6b09 into jenkinsci:master Jul 12, 2024
15 checks passed
@jtnord jtnord deleted the JENKINS-73335 branch July 12, 2024 15:07
timja
timja reviewed Dec 5, 2024
View reviewed changes
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java
*/
@NonNull
public abstract byte[] getKeyStoreBytes();
@Deprecated(forRemoval = true)
Copy link
Member

@timja timja Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is used in the Azure credentials plugins for APIs that need the certificates themselves and I see no alternative in this plugin:

https://github.com/jenkinsci/azure-credentials-plugin/blob/f5b4c241e2be9303ef3a964a63c6eb7bf17c47fa/src/main/java/com/microsoft/azure/util/AzureCredentials.java#L376

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to interact with the key store via getKeyStore()

The bytes assumes the key store was a specific type (pkcs12> which is not guaranteed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes though that I want a Java KeyStore which the APIs I use here don't.

I need the PFX itself.

https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/src/main/java/com/azure/identity/ClientCertificateCredentialBuilder.java#L162-L165

Copy link
Member Author

@jtnord jtnord Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes though that I want a Java KeyStore

It assumes you need to do something special with the certificates/ keystore which you do.

which the APIs I use here don't.

Sounds like a bug / missing feature in the Azure SDK (I could not find an issue filed for improvement/fixing).

I need the PFX itself.

Then you need to obtain the certificates and export them in the specific format you want - getKeyStoreBytes() was never documented to do return any particular form of bytes, So this code only worked before as the calling code was assuming incorrectly about the internal representation, which is no longer valid.

Now there is no method or Helper to obtain the Certitificate chain and keys in CertificateCredentials so that is missing functionality - but if you want to guarantee PFX then that will need to be implemented outside of CertificateCredentials / StandardCertitifateCredentialsImpl.

Copy link
Member Author

@jtnord jtnord Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slightly OT is that the method was on a class inside the concrete implementation rather than the interface, which means the plugin would have not worked with alternative credential provider implementations that are implemented according to the docs.

ref

The Consumer docs could do with being improved here -> the only mention is here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks I'll take a look!

Copy link
Member

@timja timja Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I gave it a go and I get a nullpointer buried deep in Azure code =/

jenkinsci/azure-credentials-plugin#274

It is a pkcs12 keystore so its not going into the conversion code.
There are bytes in the byte array thats passed to the input stream

java.lang.NullPointerException
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.ClientCertificate.publicCertificateHash(ClientCertificate.java:39)
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.JwtHelper.buildJwt(JwtHelper.java:63)
Caused: com.microsoft.aad.msal4j.MsalClientException
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.JwtHelper.buildJwt(JwtHelper.java:71)
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.ConfidentialClientApplication.buildValidClientCertificateAuthority(ConfidentialClientApplication.java:102)
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.ConfidentialClientApplication.initClientAuthentication(ConfidentialClientApplication.java:79)
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.ConfidentialClientApplication.<init>(ConfidentialClientApplication.java:65)
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.ConfidentialClientApplication.<init>(ConfidentialClientApplication.java:30)
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.ConfidentialClientApplication$Builder.build(ConfidentialClientApplication.java:188)
	at PluginClassLoader for azure-sdk//com.azure.identity.implementation.IdentityClientBase.getConfidentialClient(IdentityClientBase.java:294)
	at PluginClassLoader for azure-sdk//com.azure.identity.implementation.IdentityClient.lambda$getConfidentialClientApplication$5(IdentityClient.java:152)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:45)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoCacheTime.subscribeOrReturn(MonoCacheTime.java:143)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:57)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoUsing.subscribe(MonoUsing.java:102)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFromFluxOperator.subscribe(MonoFromFluxOperator.java:81)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Mono.subscribe(Mono.java:4491)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoIgnoreThen$ThenIgnoreMain.subscribeNext(MonoIgnoreThen.java:263)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoIgnoreThen.subscribe(MonoIgnoreThen.java:51)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Mono.subscribe(Mono.java:4491)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:203)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap.subscribeOrReturn(MonoFlatMap.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:57)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDeferContextual.subscribe(MonoDeferContextual.java:55)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Flux.subscribe(Flux.java:8642)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Flux.blockLast(Flux.java:2760)
	at PluginClassLoader for azure-sdk//com.azure.core.util.paging.ContinuablePagedByIteratorBase.requestPage(ContinuablePagedByIteratorBase.java:102)
	at PluginClassLoader for azure-sdk//com.azure.core.util.paging.ContinuablePagedByItemIterable$ContinuablePagedByItemIterator.<init>(ContinuablePagedByItemIterable.java:75)
	at PluginClassLoader for azure-sdk//com.azure.core.util.paging.ContinuablePagedByItemIterable.iterator(ContinuablePagedByItemIterable.java:55)
	at PluginClassLoader for azure-sdk//com.azure.core.util.paging.ContinuablePagedIterable.iterator(ContinuablePagedIterable.java:141)
	at PluginClassLoader for azure-sdk//com.azure.resourcemanager.resources.fluentcore.utils.PagedConverter$PagedIterableImpl.iterator(PagedConverter.java:208)
	at PluginClassLoader for azure-credentials//com.microsoft.azure.util.AzureCredentials$ServicePrincipal.validate(AzureCredentials.java:397)
	at PluginClassLoader for azure-credentials//com.microsoft.azure.util.AzureCredentials$DescriptorImpl.doVerifyConfiguration(AzureCredentials.java:814)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
	at org.kohsuke.stapler.SelectionInterceptedFunction$Adapter.invoke(SelectionInterceptedFunction.java:37)
	at org.kohsuke.stapler.verb.HttpVerbInterceptor.invoke(HttpVerbInterceptor.java:48)
	at org.kohsuke.stapler.SelectionInterceptedFunction.bindAndInvoke(SelectionInterceptedFunction.java:26)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:327)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:898)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:548)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:747)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:253)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:154)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:31)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:149)
	at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.Server.handle(Server.java:563)
	at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
Also:   <cycle to com.microsoft.aad.msal4j.MsalClientException: java.lang.NullPointerException>
Also:   java.lang.Exception: #block terminated with an error
		at PluginClassLoader for azure-sdk//reactor.core.publisher.BlockingSingleSubscriber.blockingGet(BlockingSingleSubscriber.java:100)
		at PluginClassLoader for azure-sdk//reactor.core.publisher.Flux.blockLast(Flux.java:2761)
		at PluginClassLoader for azure-sdk//com.azure.core.util.paging.ContinuablePagedByIteratorBase.requestPage(ContinuablePagedByIteratorBase.java:102)
		at PluginClassLoader for azure-sdk//com.azure.core.util.paging.ContinuablePagedByItemIterable$ContinuablePagedByItemIterator.<init>(ContinuablePagedByItemIterable.java:75)
		at PluginClassLoader for azure-sdk//com.azure.core.util.paging.ContinuablePagedByItemIterable.iterator(ContinuablePagedByItemIterable.java:55)
		at PluginClassLoader for azure-sdk//com.azure.core.util.paging.ContinuablePagedIterable.iterator(ContinuablePagedIterable.java:141)
		at PluginClassLoader for azure-sdk//com.azure.resourcemanager.resources.fluentcore.utils.PagedConverter$PagedIterableImpl.iterator(PagedConverter.java:208)
		at PluginClassLoader for azure-credentials//com.microsoft.azure.util.AzureCredentials$ServicePrincipal.validate(AzureCredentials.java:397)
		at PluginClassLoader for azure-credentials//com.microsoft.azure.util.AzureCredentials$DescriptorImpl.doVerifyConfiguration(AzureCredentials.java:814)
		at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
		at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
		at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
		at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
		at org.kohsuke.stapler.SelectionInterceptedFunction$Adapter.invoke(SelectionInterceptedFunction.java:37)
		at org.kohsuke.stapler.verb.HttpVerbInterceptor.invoke(HttpVerbInterceptor.java:48)
		at org.kohsuke.stapler.SelectionInterceptedFunction.bindAndInvoke(SelectionInterceptedFunction.java:26)
		at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
		at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
		at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
		at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
		at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
		at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:327)
		at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
		at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
		at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
		at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:898)
		at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
		at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:548)
		at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
		at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
		at org.kohsuke.stapler.Stapler.invoke(Stapler.java:747)
		at org.kohsuke.stapler.Stapler.service(Stapler.java:253)
		at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
		at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
		at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
		at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
		at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
		at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
		at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
		at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
		at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
		at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
		at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
		at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
		at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:154)
		at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
		at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
		at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
		at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
		at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
		at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
		at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
		at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
		at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
		at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
		at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
		at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
		at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
		at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:31)
		at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
		at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
		at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
		at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
		at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
		at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
		at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
		at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
		at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
		at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
		at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
		at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
		at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
		at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
		at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
		at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
		at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
		at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
		at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
		at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:149)
		at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51)
		at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
		at org.eclipse.jetty.server.Server.handle(Server.java:563)
		at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
		at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
		at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
		at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
		at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
		at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
		at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
		at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
		at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
		at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
		at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
		at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
		at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
		at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
		at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
Caused: java.lang.IllegalArgumentException: Self-suppression not permitted
	at java.base/java.lang.Throwable.addSuppressed(Throwable.java:1054)
	at java.base/java.lang.Iterable.forEach(Iterable.java:75)
	at PluginClassLoader for azure-sdk//com.azure.core.http.policy.RetryPolicy.lambda$attemptAsync$2(RetryPolicy.java:196)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Mono.lambda$onErrorResume$32(Mono.java:3887)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:94)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap$FlatMapMain.onError(MonoFlatMap.java:172)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap$FlatMapMain.onError(MonoFlatMap.java:172)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoIgnoreThen$ThenIgnoreMain.onError(MonoIgnoreThen.java:278)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap$FlatMapMain.onError(MonoFlatMap.java:172)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoNext$NextSubscriber.onError(MonoNext.java:93)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.SerializedSubscriber.onError(SerializedSubscriber.java:124)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxRepeatWhen$RepeatWhenMainSubscriber.onError(FluxRepeatWhen.java:151)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoUsing$MonoUsingSubscriber.onError(MonoUsing.java:260)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoPeekTerminal$MonoTerminalPeekSubscriber.onError(MonoPeekTerminal.java:258)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap$FlatMapMain.secondError(MonoFlatMap.java:192)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap$FlatMapInner.onError(MonoFlatMap.java:259)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Operators$MultiSubscriptionSubscriber.onError(Operators.java:2065)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Operators.error(Operators.java:198)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoError.subscribe(MonoError.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Mono.subscribe(Mono.java:4491)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxSwitchIfEmpty$SwitchIfEmptySubscriber.onComplete(FluxSwitchIfEmpty.java:82)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Operators.complete(Operators.java:137)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoEmpty.subscribe(MonoEmpty.java:46)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:157)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoMaterialize$MaterializeSubscriber.drain(MonoMaterialize.java:133)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoMaterialize$MaterializeSubscriber.onError(MonoMaterialize.java:116)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoPeekTerminal$MonoTerminalPeekSubscriber.onError(MonoPeekTerminal.java:258)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxPeekFuseable$PeekConditionalSubscriber.onError(FluxPeekFuseable.java:903)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Operators$MultiSubscriptionSubscriber.onError(Operators.java:2065)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onError(FluxMapFuseable.java:142)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap$FlatMapMain.onError(MonoFlatMap.java:172)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Operators$MonoSubscriber.onError(Operators.java:1886)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoCacheTime.subscribeOrReturn(MonoCacheTime.java:157)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:57)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Mono.subscribe(Mono.java:4491)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxSwitchIfEmpty$SwitchIfEmptySubscriber.onComplete(FluxSwitchIfEmpty.java:82)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Operators$MultiSubscriptionSubscriber.onComplete(Operators.java:2060)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Operators.complete(Operators.java:137)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoEmpty.subscribe(MonoEmpty.java:46)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Mono.subscribe(Mono.java:4491)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:103)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFlatMap$FlatMapMain.onError(MonoFlatMap.java:172)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Operators$MonoSubscriber.onError(Operators.java:1886)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoCacheTime.subscribeOrReturn(MonoCacheTime.java:157)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:57)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoUsing.subscribe(MonoUsing.java:102)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoFromFluxOperator.subscribe(MonoFromFluxOperator.java:81)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.Mono.subscribe(Mono.java:4491)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoIgnoreThen$ThenIgnoreMain.subscribeNext(MonoIgnoreThen.java:263)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoIgnoreThen.subscribe(MonoIgnoreThen.java:51)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:64)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDelaySubscription.accept(MonoDelaySubscription.java:53)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDelaySubscription.accept(MonoDelaySubscription.java:34)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.FluxDelaySubscription$DelaySubscriptionOtherSubscriber.onNext(FluxDelaySubscription.java:131)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDelay$MonoDelayRunnable.propagateDelay(MonoDelay.java:271)
	at PluginClassLoader for azure-sdk//reactor.core.publisher.MonoDelay$MonoDelayRunnable.run(MonoDelay.java:286)
	at PluginClassLoader for azure-sdk//reactor.core.scheduler.SchedulerTask.call(SchedulerTask.java:68)
	at PluginClassLoader for azure-sdk//reactor.core.scheduler.SchedulerTask.call(SchedulerTask.java:28)
	at java.base/java.util.concurrent.FutureTask.run$$$capture(FutureTask.java:264)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
Caused: com.microsoft.azure.util.AzureCredentials$ValidationException: The provided credentials are not valid: Self-suppression not permitted
	at PluginClassLoader for azure-credentials//com.microsoft.azure.util.AzureCredentials$ServicePrincipal.validate(AzureCredentials.java:403)
	at PluginClassLoader for azure-credentials//com.microsoft.azure.util.AzureCredentials$DescriptorImpl.doVerifyConfiguration(AzureCredentials.java:814)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
	at org.kohsuke.stapler.SelectionInterceptedFunction$Adapter.invoke(SelectionInterceptedFunction.java:37)
	at org.kohsuke.stapler.verb.HttpVerbInterceptor.invoke(HttpVerbInterceptor.java:48)
	at org.kohsuke.stapler.SelectionInterceptedFunction.bindAndInvoke(SelectionInterceptedFunction.java:26)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:327)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:898)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:548)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:747)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:253)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:154)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:31)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:149)
	at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.Server.handle(Server.java:563)
	at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	at java.base/java.lang.Thread.run(Thread.java:829)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds like there is possibly something missing from the store. I thought you would only need the key as this contains the certs but maybe you need more?

  while (aliases.hasMoreElements()) {
    String alias = aliases.nextElement();
    KeyStore.Entry entry = keystore.getEntry(alias, new KeyStore.PasswordProtection(password.toCharArray()));
    ks .addEntry(entry, new KeyStore.PasswordProtection(password.toCharArray()));
  }

Note may need to not use the password protection for non private key things, off the top of my head unsure.

Otherwise dump the byte[] to a file and inspect the difference between an uploaded pkcs12 file and the exported byte[] using keytool -list etc...

Sorry I have not got a lot of time to look more at this currently

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, its not going into the code that looks at aliases as its a pkcs12 keystore I'm using so its just calling this part:

  ByteArrayOutputStream bos = new ByteArrayOutputStream();
  ks.store(bos, password.toCharArray());
  return bos.toByteArray();

Copy link
Member Author

@jtnord jtnord Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

java.lang.NullPointerException
	at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.ClientCertificate.publicCertificateHash(ClientCertificate.java:39)

lombok 🤦
https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/avdunn/release-1.17.2/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java#L38C1-L42C10

🤷 so the certifacate chain is empty?

(I am assuming you are not using FIPS-140 as otherwise good luck as PKCS12 (aka PFX) is non compliant in the JDK/BOuncycastle and all but the very latest release of OpenSSL)

https://github.com/jenkinsci/azure-credentials-plugin/pull/274/files#r1871874538 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timja timja timja left review comments

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jtnord @timja