Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68662

Instance identity plugin can't encode/decode PEM in a FIPS configured OS / host

    XMLWordPrintable

Details

    • 116.vf8f487400980

    Description

      Hello,

      On a FIPS configured OS, instance identity plugin fails to instantiate.

      Steps to reproduce:

      • Install a RHEL 8.5 on virtualbox
      • Switch to fips mode
      • Configure local repositories
      • Install java 11
      • Start jenkins

      The error:

      2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException
          at java.base/java.util.Base64$Encoder.encode(Base64.java:267)
          at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)
          at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)
          at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)
          at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)
          at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)
          at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)
          at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.GUICE$TRAMPOLINE(<generated>)
          at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.apply(<generated>)
          at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
          at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
          at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
          at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
          at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
          at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:568)
          at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
          at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
          at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
          at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
          at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
         

      The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

      Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing Convert modules to plugins

      Attachments

        Issue Links

          Activity

            Modules can't use plugins

            jmdesprez Jean-Marc Desprez added a comment - Modules can't use plugins

            It looks to me that this plugin tries to write RSA private key to a file, which is not allowed in FIPS mode.

            saper Marcin Cieślak added a comment - It looks to me that this plugin tries to write RSA private key to a file, which is not allowed in FIPS mode.
            teilo James Nord added a comment - - edited

            can you point to a reference for this please.

            it is my understanding that key export is allowed, with the restriction that it shall prevent unauthorised disclosure for FIPS 140-2. The key is written encrypted which shall prevent unauthorised disclosure, and this is not so much exporting it as persisting it.

            The authorisation within the JVM and Jenkins authorisation is an Administrator can recover this and they are authorised to do so.

            BouncyCastle itself according to the documentation is ok exporting private keys when in approved only mode. it only disables it when there is a security manager in place.
            https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf sec 1.3

            teilo James Nord added a comment - - edited can you point to a reference for this please. it is my understanding that key export is allowed, with the restriction that it shall prevent unauthorised disclosure for FIPS 140-2. The key is written encrypted which shall prevent unauthorised disclosure, and this is not so much exporting it as persisting it. The authorisation within the JVM and Jenkins authorisation is an Administrator can recover this and they are authorised to do so. BouncyCastle itself according to the documentation is ok exporting private keys when in approved only mode. it only disables it when there is a security manager in place. https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf sec 1.3

            A fixed version of the plugin has been released.
            However, it still needs to be converted to a plugin (see JENKINS-55582) to be used.

            jmdesprez Jean-Marc Desprez added a comment - A fixed version of the plugin has been released. However, it still needs to be converted to a plugin (see JENKINS-55582 ) to be used.
            basil Basil Crow added a comment -

            However, it still needs to be converted to a plugin (see JENKINS-55582) to be used.

            That was done in 2.357.

            basil Basil Crow added a comment - However, it still needs to be converted to a plugin (see JENKINS-55582 ) to be used. That was done in 2.357.
            basil Basil Crow added a comment -

            BouncyCastle itself according to the documentation is ok exporting private keys when in approved only mode

            Fix verified by starting Jenkins 2.357 in BouncyCastle FIPS approved-only mode with instance-identity 116.vf8f487400980 and bouncycastle-api 2.26 both with and without an existing identity.key.enc file and ensuring that the key could both be written and read successfully.

            basil Basil Crow added a comment - BouncyCastle itself according to the documentation is ok exporting private keys when in approved only mode Fix verified by starting Jenkins 2.357 in BouncyCastle FIPS approved-only mode with instance-identity 116.vf8f487400980 and bouncycastle-api 2.26 both with and without an existing identity.key.enc file and ensuring that the key could both be written and read successfully.

            People

              jmdesprez Jean-Marc Desprez
              jmdesprez Jean-Marc Desprez
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: