Handle password with empty string for certificate auth #581
Conversation
| private static char[] toCharArray(@NonNull Secret password) { | ||
| String plainText = Util.fixEmpty(password.getPlainText()); | ||
| return plainText == null ? null : plainText.toCharArray(); | ||
| return password.getPlainText().toCharArray(); |
There was a problem hiding this comment.
Empty string is used at least commonly in Azure if not elsewhere for PFX files.
Shouldn't modify what the user has passed here
| @@ -248,7 +246,7 @@ public FormValidation doCheckPassword(@QueryParameter String value) { | |||
| return FormValidation.error(Messages.CertificateCredentialsImpl_ShortPasswordFIPS()); | |||
| } | |||
| if (pw.isEmpty()) { | |||
| return FormValidation.warning(Messages.CertificateCredentialsImpl_NoPassword()); | |||
| return FormValidation.ok(Messages.CertificateCredentialsImpl_NoPassword()); | |||
There was a problem hiding this comment.
- warnings/errors shouldn't be shown when you open a form
- this is a valid usecase but its still worth making people aware so I left it as ok
| @@ -624,9 +622,7 @@ protected static FormValidation validateCertificateKeystore(byte[] keystoreBytes | |||
| } catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e) { | |||
| return FormValidation.warning(e, Messages.CertificateCredentialsImpl_LoadKeystoreFailed()); | |||
| } finally { | |||
| if (passwordChars != null) { | |||
There was a problem hiding this comment.
no longer possible to be null here
| @@ -739,6 +735,9 @@ public FormValidation doCheckCertChain(@QueryParameter String value) { | |||
| List<PEMEncodable> pemEncodables = PEMEncodable.decodeAll(pemCerts, null); | |||
| long count = pemEncodables.stream().map(PEMEncodable::toCertificate).filter(Objects::nonNull).count(); | |||
| if (count < 1) { | |||
| if (Util.fixEmpty(value) == null) { | |||
There was a problem hiding this comment.
warnings/errors shouldn't be shown when you open a form
The form has a clear empty state so we don't need the same content as we did with the password for the pfx:
There was a problem hiding this comment.
I would agree if Jenkins did not allow you to hit "Save" or Apply when the form was in an invalid state or otherwise called out mandatory parameters from optional ones, but it does neither.
Hitting save leads to an angry Jenkins which is IMO a worse UX that the error.
2024-12-10 11:23:30.372+0000 [id=41] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID a655cb61-a72d-4d07-a85b-97a161a42acd
java.io.IOException: expected one key but got 0
at PluginClassLoader for credentials//com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource.toKeyStore(CertificateCredentialsImpl.java:703)
at PluginClassLoader for credentials//com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource.toKeyStore(CertificateCredentialsImpl.java:691)
at PluginClassLoader for credentials//com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.<init>(CertificateCredentialsImpl.java:140)
Caused: java.lang.IllegalArgumentException: KeyStore is not valid.
| @@ -771,6 +770,9 @@ public FormValidation doCheckPrivateKey(@QueryParameter String value, | |||
| List<PEMEncodable> pemEncodables = PEMEncodable.decodeAll(key, toCharArray(Secret.fromString(password))); | |||
| long count = pemEncodables.stream().map(PEMEncodable::toPrivateKey).filter(Objects::nonNull).count(); | |||
| if (count == 0) { | |||
| if (Util.fixEmpty(value) == null) { | |||
There was a problem hiding this comment.
warnings/errors shouldn't be shown when you open a form
The form has a clear empty state so we don't need the same content as we did with the password for the pfx:
| CertificateCredentialsImpl.LoadKeyFailed=Could retrieve key "{0}" | ||
| CertificateCredentialsImpl.LoadKeyFailedQueryEmptyPassword=Could retrieve key "{0}". You may need to provide a password |
There was a problem hiding this comment.
these error messages made no sense before
| */ | ||
| @CheckForNull |
There was a problem hiding this comment.
There is a difference between no password and an empty password.
It seems like Azure is using the empty password rather than no password (why I have no idea).
https://stackoverflow.com/a/53523999 appears to confirm this.
There was a problem hiding this comment.
Not sure looks like other systems try both empty string and null
|
Thanks for the investigation and fix |
I saw a bug report on the Java issue tracker which says it should be possible from Java 18 but YMMV, I expect this is the more common case... |
Testing done
Uploaded a cert generated inside Azure Key Vault
Tested with jenkinsci/azure-credentials-plugin#274
and checked end 2 end and I can provision VMs with https://plugins.jenkins.io/azure-vm-agents using certificate auth
Submitter checklist