Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68662

Instance identity plugin can't encode/decode PEM in a FIPS configured OS / host

XMLWordPrintable

    • 116.vf8f487400980

      Hello,

      On a FIPS configured OS, instance identity plugin fails to instantiate.

      Steps to reproduce:

      • Install a RHEL 8.5 on virtualbox
      • Switch to fips mode
      • Configure local repositories
      • Install java 11
      • Start jenkins

      The error:

      2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException
    at java.base/java.util.Base64$Encoder.encode(Base64.java:267)
    at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)
    at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)
    at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)
    at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)
    at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)
    at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)
    at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.GUICE$TRAMPOLINE(<generated>)
    at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.apply(<generated>)
    at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
    at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
    at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
    at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
    at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:568)
    at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
    at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
    at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
    at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
  

      The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

      Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing Convert modules to plugins

          [JENKINS-68662] Instance identity plugin can't encode/decode PEM in a FIPS configured OS / host

          Jean-Marc Desprez created issue -
          Jean-Marc Desprez made changes -
          Link New: This issue is blocked by JENKINS-55582 [ JENKINS-55582 ]
          Jean-Marc Desprez made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          Jean-Marc Desprez added a comment -

          Modules can't use plugins

          Jean-Marc Desprez added a comment - Modules can't use plugins
          Jean-Marc Desprez made changes -
          Link New: This issue depends on JENKINS-55582 [ JENKINS-55582 ]
          Jean-Marc Desprez made changes -
          Link Original: This issue is blocked by JENKINS-55582 [ JENKINS-55582 ]
          Jean-Marc Desprez made changes -
          Description Original: Hello,

          On a FIPS configured OS, instance identity plugin fails to instantiate.

          Steps to reproduce:
           * Install a RHEL 8.5 on virtualbox
           * [Switch to fips mode|https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies]
           * Configure local repositories
           * Install java
           * Start jenkins

          The error:
          {noformat}
          2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException     at java.base/java.util.Base64$Encoder.encode(Base64.java:267)     at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)     at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)     at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)     at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)     at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)     at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)     at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1599057.GUICE$TRAMPOLINE(<generated>)     at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1599057.apply(<generated>)     at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)

           {noformat}
          The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

          Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing Convert modules to plugins           		New: Hello,

          On a FIPS configured OS, instance identity plugin fails to instantiate.

          Steps to reproduce:
           * Install a RHEL 8.5 on virtualbox
           * [Switch to fips mode|https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies]
           * Configure local repositories
           * Install java
           * Start jenkins

          The error:
          {noformat}
          2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException
              at java.base/java.util.Base64$Encoder.encode(Base64.java:267)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.GUICE$TRAMPOLINE(<generated>)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.apply(<generated>)
              at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
              at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
              at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
              at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:568)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
             {noformat}
          The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

          Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing Convert modules to plugins
          Jean-Marc Desprez made changes -
          Description Original: Hello,

          On a FIPS configured OS, instance identity plugin fails to instantiate.

          Steps to reproduce:
           * Install a RHEL 8.5 on virtualbox
           * [Switch to fips mode|https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies]
           * Configure local repositories
           * Install java
           * Start jenkins

          The error:
          {noformat}
          2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException
              at java.base/java.util.Base64$Encoder.encode(Base64.java:267)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.GUICE$TRAMPOLINE(<generated>)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.apply(<generated>)
              at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
              at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
              at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
              at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:568)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
             {noformat}
          The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

          Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing Convert modules to plugins           		New: Hello,

          On a FIPS configured OS, instance identity plugin fails to instantiate.

          Steps to reproduce:
           * Install a RHEL 8.5 on virtualbox
           * [Switch to fips mode|https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies]
           * Configure local repositories
           * Install java
           * Start jenkins

          The error:
          {noformat}
          2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException
              at java.base/java.util.Base64$Encoder.encode(Base64.java:267)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.GUICE$TRAMPOLINE(<generated>)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.apply(<generated>)
              at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
              at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
              at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
              at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:568)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
             {noformat}
          The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

          Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing [Convert modules to plugins|https://issues.jenkins.io/browse/JENKINS-55582]
          Jean-Marc Desprez made changes -
          Comment [ Modules can't use plugins ]
          Jean-Marc Desprez made changes -
          Description Original: Hello,

          On a FIPS configured OS, instance identity plugin fails to instantiate.

          Steps to reproduce:
           * Install a RHEL 8.5 on virtualbox
           * [Switch to fips mode|https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies]
           * Configure local repositories
           * Install java
           * Start jenkins

          The error:
          {noformat}
          2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException
              at java.base/java.util.Base64$Encoder.encode(Base64.java:267)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.GUICE$TRAMPOLINE(<generated>)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.apply(<generated>)
              at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
              at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
              at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
              at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:568)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
             {noformat}
          The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

          Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing [Convert modules to plugins|https://issues.jenkins.io/browse/JENKINS-55582]           		New: Hello,

          On a FIPS configured OS, instance identity plugin fails to instantiate.

          Steps to reproduce:
           * Install a RHEL 8.5 on virtualbox
           * [Switch to fips mode|https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies]
           * Configure local repositories
           * Install java 11
           * Start jenkins

          The error:
          {noformat}
          2022-06-01 16:27:40.195+0000 [id=29]    WARNING    h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl, annotation=[none]]; skipping this component java.lang.NullPointerException
              at java.base/java.util.Base64$Encoder.encode(Base64.java:267)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.writeEncoded(PEMHelper.java:186)
              at org.jenkinsci.main.modules.instance_identity.pem.PEMHelper.encodePEM(PEMHelper.java:113)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.write(InstanceIdentity.java:96)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:66)
              at org.jenkinsci.main.modules.instance_identity.InstanceIdentity.<init>(InstanceIdentity.java:40)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl.<init>(PageDecoratorImpl.java:22)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.GUICE$TRAMPOLINE(<generated>)
              at org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl$$FastClassByGuice$$1055034.apply(<generated>)
              at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:82)
              at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
              at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:33)
              at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:98)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:109)
              at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:568)
              at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:117)
              at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:66)
              at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:93)
              at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:296)
              at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
             {noformat}
          The actual implementation relies on JDK libraries, which cause the error above when run in FIPS mode.

          Updating the plugin to use `org.jenkins-ci.plugins:bouncycastle-api` will give a more consistent result. However, this have to be done after completing Convert modules to plugins

            jmdesprez Jean-Marc Desprez
            jmdesprez Jean-Marc Desprez
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: