Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74964

Error messages are not shown when adding invalid certificate credentials

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • credentials-plugin
    • None

      When users provide invalid certificate credentials during creation, the form displays validation errors as expected. When the user clicks Add, the credentials are not stored, but the issue is that no error message is shown to the user to indicate the failure.

      Steps to Reproduce:

      1. Go to New Item and create an item named Test-Add-Certificate
      2. Under Source Code Management, select Git
      3. Click on the Add button for credentials
      4. In the credentials popup:
      5. Select Jenkins as the provider
          Choose Global Credentials (Unrestricted) for the Domain
          Select "Certificate" as the Kind
          Choose "PEM encoded certificate and key" for the Certificate type
      6. Leave the Certificate and Private Key fields empty or input invalid data
      7. Observe that the form shows validation errors, but after clicking Add, no error message is displayed, and the credentials are not created

      Expected Behavior:

      If the certificate credentials creation fails, the plugin should display a error message to the user, otherwise its not clear that if the credentials are created.

      Actual Behavior:

      No error message is displayed, and the credentials are silently rejected.

          [JENKINS-74964] Error messages are not shown when adding invalid certificate credentials

          Mark Waite added a comment - - edited

          Thanks for the very clear issue description. I can duplicate it.

          The git plugin only supports username / password credentials for HTTPS repository URLs. The git plugin only supports private key credentials (RSA, ED-25519, ECDSA() for SSH repository URLs. The incorrect behavior may be (partly?) because the git plugin does not support certificate credentials.

          When I use "Manage Jenkins" -> "Credentials" to create a certificate credential with an invalid PEM encoded certificate, a stack trace exception is shown on the screen (the "Jenkins devil") and the Jenkins log shows that an illegal argument exception was thrown while trying to construct the certificate credential. The exception in the stack trace is:

          2024-12-06 13:27:22.467+0000 [id=284663]        WARNING o.e.j.e.n.ContextHandler$APIContext#log: Error while serving http://mark-pc2.markwaite.net:8080/manage/credentials/store/system/domain/mark-pc7.markwait
          e.net/createCredentials
          java.io.IOException: expected one key but got 0
                  at PluginClassLoader for credentials//com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource.toKeyStore(CertificateCredentialsImpl.java:707)
                  at PluginClassLoader for credentials//com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource.toKeyStore(CertificateCredentialsImpl.java:695)
                  at PluginClassLoader for credentials//com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.<init>(CertificateCredentialsImpl.java:140)
          Caused: java.lang.IllegalArgumentException: KeyStore is not valid.
                  at PluginClassLoader for credentials//com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.<init>(CertificateCredentialsImpl.java:142)
                  at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(Unknown Source)
                  at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source)
                  at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source)
                  at org.kohsuke.stapler.RequestImpl.invokeConstructor(RequestImpl.java:673)
                  at org.kohsuke.stapler.RequestImpl.instantiate(RequestImpl.java:990)
                  at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:861)
          Caused: java.lang.IllegalArgumentException: Failed to instantiate class com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl from {"scope":"GLOBAL","keyStoreSource":{"value":"0","certChain":"[val
          ue redacted]","$redact":["certChain","privateKey"],"privateKey":"[value redacted]","stapler-class<span class="code-quote">":"com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource","$class<span class="code-quote">":"com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource"},"password":"[value redacted]","$redact":"password","id":"invalied-pem-certificate","description":"Invalid pem certiticate","stapler-class<span class="code-quote">":"com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl","$class<span class="code-quote">":"com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl"}
                  at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:865)
                  at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:620)
                  at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:615)
                  at hudson.model.Descriptor.bindJSON(Descriptor.java:656)
                  at hudson.model.Descriptor.newInstanceImpl(Descriptor.java:614)
          

          I think that both behaviors are a poor user experience. In the git plugin context within a job definition, it would be best to only allow the user to create credential types that are valid for use with the git plugin. In the "Manage Jenkins" -> "Credentials" context it would be better to show the user a clear message instead of the Jenkins stack trace ID page and a stack trace in the Jenkins log.

          Mark Waite added a comment - - edited Thanks for the very clear issue description. I can duplicate it. The git plugin only supports username / password credentials for HTTPS repository URLs. The git plugin only supports private key credentials (RSA, ED-25519, ECDSA() for SSH repository URLs. The incorrect behavior may be (partly?) because the git plugin does not support certificate credentials. When I use "Manage Jenkins" -> "Credentials" to create a certificate credential with an invalid PEM encoded certificate, a stack trace exception is shown on the screen (the "Jenkins devil") and the Jenkins log shows that an illegal argument exception was thrown while trying to construct the certificate credential. The exception in the stack trace is: 2024-12-06 13:27:22.467+0000 [id=284663] WARNING o.e.j.e.n.ContextHandler$APIContext#log: Error while serving http: //mark-pc2.markwaite.net:8080/manage/credentials/store/system/domain/mark-pc7.markwait e.net/createCredentials java.io.IOException: expected one key but got 0 at PluginClassLoader for credentials //com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource.toKeyStore(CertificateCredentialsImpl.java:707) at PluginClassLoader for credentials //com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource.toKeyStore(CertificateCredentialsImpl.java:695) at PluginClassLoader for credentials //com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.<init>(CertificateCredentialsImpl.java:140) Caused: java.lang.IllegalArgumentException: KeyStore is not valid. at PluginClassLoader for credentials //com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.<init>(CertificateCredentialsImpl.java:142) at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(Unknown Source) at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source) at java.base/java.lang.reflect.Constructor.newInstance(Unknown Source) at org.kohsuke.stapler.RequestImpl.invokeConstructor(RequestImpl.java:673) at org.kohsuke.stapler.RequestImpl.instantiate(RequestImpl.java:990) at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:861) Caused: java.lang.IllegalArgumentException: Failed to instantiate class com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl from { "scope" : "GLOBAL" , "keyStoreSource" :{ "value" : "0" , "certChain" :"[val ue redacted] "," $redact ":[" certChain "," privateKey "]," privateKey ":" [value redacted] "," stapler- class span class="code-quote">":" com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource "," $ class span class="code-quote">":" com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$PEMEntryKeyStoreSource "}," password ":" [value redacted] "," $redact ":" password "," id ":" invalied-pem-certificate "," description ":" Invalid pem certiticate "," stapler- class span class="code-quote">":" com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl "," $ class span class="code-quote">":" com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl"} at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:865) at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:620) at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:615) at hudson.model.Descriptor.bindJSON(Descriptor.java:656) at hudson.model.Descriptor.newInstanceImpl(Descriptor.java:614) I think that both behaviors are a poor user experience. In the git plugin context within a job definition, it would be best to only allow the user to create credential types that are valid for use with the git plugin. In the "Manage Jenkins" -> "Credentials" context it would be better to show the user a clear message instead of the Jenkins stack trace ID page and a stack trace in the Jenkins log.

          Priya added a comment - - edited

          Thank you for your detailed insights. I completely agree with you that showing only the valid options provides a much better user experience. To clarify, I used Git(bad example) as an example in the steps to reproduce to illustrate the use of the add credentials popup in an open-source context. However, this issue is not limited to Git.

          The primary concern is that invalid certificate credentials fail to trigger error messages, resulting in a poor user experience:

          • In the Manage Jenkins -> Credentials section, the issue displays the 'Jenkins devil'.
          • In the Add Credentials popup, failures are silently ignored without any error messages.

          I have tried to address the Add Credentials popup in the PR. Please take a look and share your feedback.

          Priya added a comment - - edited Thank you for your detailed insights. I completely agree with you that showing only the valid options provides a much better user experience. To clarify, I used Git(bad example) as an example in the steps to reproduce to illustrate the use of the add credentials popup in an open-source context. However, this issue is not limited to Git. The primary concern is that invalid certificate credentials fail to trigger error messages, resulting in a poor user experience: In the Manage Jenkins -> Credentials section, the issue displays the 'Jenkins devil'. In the Add Credentials popup, failures are silently ignored without any error messages. I have tried to address the Add Credentials popup in the PR . Please take a look and share your feedback.

            priya_cb Priya
            priya_cb Priya
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: