Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68662

Instance identity plugin can't encode/decode PEM in a FIPS configured OS / host

XMLWordPrintable

    • 116.vf8f487400980

      Hello,

      On a FIPS configured OS, instance identity plugin fails to instantiate.

      Steps to reproduce:

      • Install a RHEL 8.5 on virtualbox
      • Switch to fips mode
      • Configure local repositories
      • Install java 11
      • Start jenkins

      The error:

      2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException
    at java.base/java.util.Base64$Encoder.encode(Base64.java:267)
    at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)
    at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)
    at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)
    at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)
    at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)
    at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)
    at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.GUICE$TRAMPOLINE(<generated>)
    at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.apply(<generated>)
    at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
    at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
    at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
    at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
    at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:568)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
    at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
    at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
    at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
  

      The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

      Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing Convert modules to plugins

            jmdesprez Jean-Marc Desprez
            jmdesprez Jean-Marc Desprez
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: