Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-73334] make plugin FIPS-140 compliant by blocking PKCS#12 certificates when in FIPS mode #539

Merged
merged 3 commits into from
Jul 5, 2024
Merged

[JENKINS-73334] make plugin FIPS-140 compliant by blocking PKCS#12 certificates when in FIPS mode #539

merged 3 commits into from
Jul 5, 2024

Conversation

jtnord
Copy link
Member

@jtnord jtnord commented Jun 20, 2024
edited
Loading

JENKINS-73334 Block PKCS#12 certificates due to FIPS-140 compliance issues.

Testing done

manual testing of the form entry in FIPS and non FIPS mode ( mvn clean hpi:run -Djenkins.security.FIPS140.COMPLIANCE=true)

screenshots

FIPS mode:

image

Regular Mode:
image

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@jtnord
[JENKINS-73334] Block the use of PKCS#12 when in FIPS mode
ac377cd 
PKCS#12 is not FIPS compliant as such we need to block these certificate
uploades when in FIPS mode.
@jtnord
leave a (temporary) warning if there are no KeyStoreSources
e3108d2 
This is expected to be a temporary measure pending JENKINS-73335
as such no tests are introduced for this, rather manual testing was
performed.
jtnord
jtnord commented Jun 20, 2024
View reviewed changes
...esources/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl/credentials.jelly
<j:set var="keyStoreSourceDescriptors" value="${descriptor.getPropertyType('keyStoreSource').applicableDescriptors}"/>
<j:choose>
<j:when test="${keyStoreSourceDescriptors.isEmpty()}">
<div class="warning">Jenkins has no <code>KeyStoreSources</code> available, Certificate credentials will not be able to be created.</div>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a small UI warning as I intend to follow up with https://issues.jenkins.io/browse/JENKINS-73335 so this should not live for that long, hence no tests for this

jtnord
jtnord commented Jun 20, 2024
View reviewed changes
src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java
@@ -435,6 +436,7 @@ public static class UploadedKeyStoreSource extends KeyStoreSource implements Ser
@SuppressWarnings("unused") // by stapler
@Deprecated
public UploadedKeyStoreSource(String uploadedKeystore) {
ensureNotRunningInFIPSMode();
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

other plugins are using this code directly, so we can not just not register the extension.
Whilst this will break other plugins, those other plugins are not Compliant and are usign a byte[] that is a PKCS#12 cert - so they are not compliant anyway.

I am not intending to fix /adapt any of these plugins.

@jtnord jtnord requested a review from a team June 20, 2024 14:01
@jtnord jtnord mentioned this pull request Jun 24, 2024
Merged
6 tasks
@jtnord jtnord merged commit 56f5ca3 into jenkinsci:master Jul 5, 2024
15 checks passed
@jtnord jtnord deleted the JENKINS-73334 branch July 5, 2024 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olamy olamy olamy approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jtnord @olamy