From: Julien HENRY Date: Fri, 27 Sep 2024 11:59:34 +0000 (+0200) Subject: SONAR-23013 Fix the usage of Bouncycastle X-Git-Tag: 10.7.0.96327~3 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=e1b5c43a94b67ca6774f67451ca5a45cd2c9036f;p=sonarqube.git SONAR-23013 Fix the usage of Bouncycastle * BC is a multi-release JAR, so the flag has to be preserved in the scanner engine shaded jar * Not sure it was needed, but I decided to not install BC as a Security Provider, and only use it to load the pkcs12 certificate --- diff --git a/sonar-scanner-engine-shaded/build.gradle b/sonar-scanner-engine-shaded/build.gradle index dcb53b4294d..2db00131ab4 100644 --- a/sonar-scanner-engine-shaded/build.gradle +++ b/sonar-scanner-engine-shaded/build.gradle @@ -13,7 +13,9 @@ dependencies { jar { manifest { attributes( - 'Main-Class' : "org.sonar.scanner.bootstrap.ScannerMain" + 'Main-Class' : "org.sonar.scanner.bootstrap.ScannerMain", + // BouncyCastle library is a multi-release jar + 'Multi-Release' : 'true' ) } } diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java index 4b42c6a6d12..09265c58ce7 100644 --- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java +++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java @@ -19,16 +19,17 @@ */ package org.sonar.scanner.http; +import java.io.InputStream; import java.net.InetSocketAddress; import java.net.Proxy; import java.nio.file.Files; import java.nio.file.Path; +import java.nio.file.StandardOpenOption; import java.security.KeyStore; -import java.security.Security; import java.time.Duration; import java.time.format.DateTimeParseException; import nl.altindag.ssl.SSLFactory; -import nl.altindag.ssl.util.KeyStoreUtils; +import nl.altindag.ssl.exception.GenericKeyStoreException; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.sonar.api.CoreProperties; import org.sonar.api.notifications.AnalysisWarnings; @@ -148,15 +149,23 @@ public class ScannerWsClientProvider { } var trustStoreConfig = sslConfig.getTrustStore(); if (trustStoreConfig != null && Files.exists(trustStoreConfig.getPath())) { - Security.addProvider(new BouncyCastleProvider()); - KeyStore trustStore = KeyStoreUtils.loadKeyStore( + KeyStore trustStore = loadKeyStore( trustStoreConfig.getPath(), trustStoreConfig.getKeyStorePassword().toCharArray(), - trustStoreConfig.getKeyStoreType(), - BouncyCastleProvider.PROVIDER_NAME); + trustStoreConfig.getKeyStoreType()); sslFactoryBuilder.withTrustMaterial(trustStore); } return sslFactoryBuilder.build(); } + public static KeyStore loadKeyStore(Path keystorePath, char[] keystorePassword, String keystoreType) { + try (InputStream keystoreInputStream = Files.newInputStream(keystorePath, StandardOpenOption.READ)) { + KeyStore keystore = KeyStore.getInstance(keystoreType, new BouncyCastleProvider()); + keystore.load(keystoreInputStream, keystorePassword); + return keystore; + } catch (Exception e) { + throw new GenericKeyStoreException(e); + } + } + }