SONAR-23013 Fix the usage of Bouncycastle

* BC is a multi-release JAR, so the flag has to be preserved in the scanner engine shaded jar
* Not sure it was needed, but I decided to not install BC as a Security Provider, and only use it to load the pkcs12 certificate

diff --git a/sonar-scanner-engine-shaded/build.gradle b/sonar-scanner-engine-shaded/build.gradle
index dcb53b4294d102d43eab81273b90dc20ff9c68fa..2db00131ab439bff35afcb2c8b7a8bf5d35dc1ce 100644 (file)
--- a/sonar-scanner-engine-shaded/build.gradle
+++ b/sonar-scanner-engine-shaded/build.gradle
@@ -13,7 +13,9 @@ dependencies {
 jar {
   manifest {
     attributes(
-      'Main-Class' : "org.sonar.scanner.bootstrap.ScannerMain"
+      'Main-Class' : "org.sonar.scanner.bootstrap.ScannerMain",
+      // BouncyCastle library is a multi-release jar
+      'Multi-Release' : 'true'
     )
   }
 }

diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java
index 4b42c6a6d125dc3caa192b3d6e933df723b34270..09265c58ce7491a9d3b5be8ba69101e1a2f6aa72 100644 (file)
--- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java
+++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java
@@ -19,16 +19,17 @@
  */
 package org.sonar.scanner.http;
 
+import java.io.InputStream;
 import java.net.InetSocketAddress;
 import java.net.Proxy;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.StandardOpenOption;
 import java.security.KeyStore;
-import java.security.Security;
 import java.time.Duration;
 import java.time.format.DateTimeParseException;
 import nl.altindag.ssl.SSLFactory;
-import nl.altindag.ssl.util.KeyStoreUtils;
+import nl.altindag.ssl.exception.GenericKeyStoreException;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.sonar.api.CoreProperties;
 import org.sonar.api.notifications.AnalysisWarnings;
@@ -148,15 +149,23 @@ public class ScannerWsClientProvider {
     }
     var trustStoreConfig = sslConfig.getTrustStore();
     if (trustStoreConfig != null && Files.exists(trustStoreConfig.getPath())) {
-      Security.addProvider(new BouncyCastleProvider());
-      KeyStore trustStore = KeyStoreUtils.loadKeyStore(
+      KeyStore trustStore = loadKeyStore(
         trustStoreConfig.getPath(),
         trustStoreConfig.getKeyStorePassword().toCharArray(),
-        trustStoreConfig.getKeyStoreType(),
-        BouncyCastleProvider.PROVIDER_NAME);
+        trustStoreConfig.getKeyStoreType());
       sslFactoryBuilder.withTrustMaterial(trustStore);
     }
     return sslFactoryBuilder.build();
   }
 
+  public static KeyStore loadKeyStore(Path keystorePath, char[] keystorePassword, String keystoreType) {
+    try (InputStream keystoreInputStream = Files.newInputStream(keystorePath, StandardOpenOption.READ)) {
+      KeyStore keystore = KeyStore.getInstance(keystoreType, new BouncyCastleProvider());
+      keystore.load(keystoreInputStream, keystorePassword);
+      return keystore;
+    } catch (Exception e) {
+      throw new GenericKeyStoreException(e);
+    }
+  }
+
 }