From b77ddcada3cdbef9daacf8cb18da96d44112ffbf Mon Sep 17 00:00:00 2001
From: Julien HENRY <julien.henry@sonarsource.com>
Date: Thu, 12 Sep 2024 10:46:14 +0200
Subject: [PATCH] SONAR-23013 Support PKCS12 truststore created by openssl

---
 sonar-scanner-engine/build.gradle             |  1 +
 .../scanner/http/ScannerWsClientProvider.java | 22 ++++++++++++++-----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/sonar-scanner-engine/build.gradle b/sonar-scanner-engine/build.gradle
index 4a7d8bc12ea..d14a72fa831 100644
--- a/sonar-scanner-engine/build.gradle
+++ b/sonar-scanner-engine/build.gradle
@@ -32,6 +32,7 @@ dependencies {
   api 'com.squareup.okhttp3:okhttp'
   api 'com.fasterxml.staxmate:staxmate'
   implementation 'io.github.hakky54:sslcontext-kickstart'
+  implementation 'org.bouncycastle:bcprov-jdk18on'
   api 'javax.annotation:javax.annotation-api'
   api 'org.eclipse.jgit:org.eclipse.jgit'
   api 'org.tmatesoft.svnkit:svnkit'
diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java
index 2511daf5d0f..4b42c6a6d12 100644
--- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java
+++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java
@@ -23,9 +23,13 @@ import java.net.InetSocketAddress;
 import java.net.Proxy;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.Security;
 import java.time.Duration;
 import java.time.format.DateTimeParseException;
 import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.util.KeyStoreUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.sonar.api.CoreProperties;
 import org.sonar.api.notifications.AnalysisWarnings;
 import org.sonar.api.utils.System2;
@@ -138,13 +142,19 @@ public class ScannerWsClientProvider {
     if (system2.properties().containsKey("javax.net.ssl.keyStore")) {
       sslFactoryBuilder.withSystemPropertyDerivedIdentityMaterial();
     }
-    var keyStore = sslConfig.getKeyStore();
-    if (keyStore != null && Files.exists(keyStore.getPath())) {
-      sslFactoryBuilder.withIdentityMaterial(keyStore.getPath(), keyStore.getKeyStorePassword().toCharArray(), keyStore.getKeyStoreType());
+    var keyStoreConfig = sslConfig.getKeyStore();
+    if (keyStoreConfig != null && Files.exists(keyStoreConfig.getPath())) {
+      sslFactoryBuilder.withIdentityMaterial(keyStoreConfig.getPath(), keyStoreConfig.getKeyStorePassword().toCharArray(), keyStoreConfig.getKeyStoreType());
     }
-    var trustStore = sslConfig.getTrustStore();
-    if (trustStore != null && Files.exists(trustStore.getPath())) {
-      sslFactoryBuilder.withTrustMaterial(trustStore.getPath(), trustStore.getKeyStorePassword().toCharArray(), trustStore.getKeyStoreType());
+    var trustStoreConfig = sslConfig.getTrustStore();
+    if (trustStoreConfig != null && Files.exists(trustStoreConfig.getPath())) {
+      Security.addProvider(new BouncyCastleProvider());
+      KeyStore trustStore = KeyStoreUtils.loadKeyStore(
+        trustStoreConfig.getPath(),
+        trustStoreConfig.getKeyStorePassword().toCharArray(),
+        trustStoreConfig.getKeyStoreType(),
+        BouncyCastleProvider.PROVIDER_NAME);
+      sslFactoryBuilder.withTrustMaterial(trustStore);
     }
     return sslFactoryBuilder.build();
   }
-- 
2.39.5