From ce1314e8e061ba941a96c2e220da9898e271b3f8 Mon Sep 17 00:00:00 2001 From: Julien HENRY Date: Wed, 20 Nov 2024 11:41:32 +0100 Subject: SONAR-23680 Support changeit as default keystore password --- .../scanner/http/ScannerWsClientProvider.java | 49 +++++++++++++++++----- .../sonar/scanner/http/ssl/CertificateStore.java | 15 +++++-- 2 files changed, 50 insertions(+), 14 deletions(-) (limited to 'sonar-scanner-engine/src/main/java/org/sonar') diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java index 67e224f8845..f11e481d749 100644 --- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java +++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java @@ -32,8 +32,10 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.time.Duration; import java.time.format.DateTimeParseException; +import javax.annotation.Nullable; import nl.altindag.ssl.SSLFactory; import nl.altindag.ssl.exception.GenericKeyStoreException; +import nl.altindag.ssl.util.KeyStoreUtils; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -137,10 +139,10 @@ public class ScannerWsClientProvider { private static SslConfig parseSslConfig(ScannerProperties scannerProperties, SonarUserHome sonarUserHome) { var keyStorePath = defaultIfBlank(scannerProperties.property("sonar.scanner.keystorePath"), sonarUserHome.getPath().resolve("ssl/keystore.p12").toString()); - var keyStorePassword = defaultIfBlank(scannerProperties.property("sonar.scanner.keystorePassword"), CertificateStore.DEFAULT_PASSWORD); - var trustStorePath = defaultIfBlank(scannerProperties.property("sonar.scanner.truststorePath"), sonarUserHome.getPath().resolve("ssl/truststore.p12").toString()); - var trustStorePassword = defaultIfBlank(scannerProperties.property("sonar.scanner.truststorePassword"), CertificateStore.DEFAULT_PASSWORD); + var keyStorePassword = scannerProperties.property("sonar.scanner.keystorePassword"); var keyStore = new CertificateStore(Path.of(keyStorePath), keyStorePassword); + var trustStorePath = defaultIfBlank(scannerProperties.property("sonar.scanner.truststorePath"), sonarUserHome.getPath().resolve("ssl/truststore.p12").toString()); + var trustStorePassword = scannerProperties.property("sonar.scanner.truststorePassword"); var trustStore = new CertificateStore(Path.of(trustStorePath), trustStorePassword); return new SslConfig(keyStore, trustStore); } @@ -154,15 +156,18 @@ public class ScannerWsClientProvider { } var keyStoreConfig = sslConfig.getKeyStore(); if (keyStoreConfig != null && Files.exists(keyStoreConfig.getPath())) { - sslFactoryBuilder.withIdentityMaterial(keyStoreConfig.getPath(), keyStoreConfig.getKeyStorePassword().toCharArray(), keyStoreConfig.getKeyStoreType()); + keyStoreConfig.getKeyStorePassword() + .ifPresentOrElse( + password -> sslFactoryBuilder.withIdentityMaterial(keyStoreConfig.getPath(), password.toCharArray(), keyStoreConfig.getKeyStoreType()), + () -> loadIdentityMaterialWithDefaultPassword(sslFactoryBuilder, keyStoreConfig.getPath())); } var trustStoreConfig = sslConfig.getTrustStore(); if (trustStoreConfig != null && Files.exists(trustStoreConfig.getPath())) { KeyStore trustStore; try { - trustStore = loadKeyStoreWithBouncyCastle( + trustStore = loadTrustStoreWithBouncyCastle( trustStoreConfig.getPath(), - trustStoreConfig.getKeyStorePassword().toCharArray(), + trustStoreConfig.getKeyStorePassword().orElse(null), trustStoreConfig.getKeyStoreType()); LOG.debug("Loaded truststore from '{}' containing {} certificates", trustStoreConfig.getPath(), trustStore.size()); } catch (KeyStoreException | IOException | CertificateException | NoSuchAlgorithmException e) { @@ -173,12 +178,36 @@ public class ScannerWsClientProvider { return sslFactoryBuilder.build(); } - static KeyStore loadKeyStoreWithBouncyCastle(Path keystorePath, char[] keystorePassword, String keystoreType) throws IOException, + private static void loadIdentityMaterialWithDefaultPassword(SSLFactory.Builder sslFactoryBuilder, Path path) { + try { + var keystore = KeyStoreUtils.loadKeyStore(path, CertificateStore.DEFAULT_PASSWORD.toCharArray(), CertificateStore.DEFAULT_STORE_TYPE); + sslFactoryBuilder.withIdentityMaterial(keystore, CertificateStore.DEFAULT_PASSWORD.toCharArray()); + } catch (GenericKeyStoreException e) { + var keystore = KeyStoreUtils.loadKeyStore(path, CertificateStore.OLD_DEFAULT_PASSWORD.toCharArray(), CertificateStore.DEFAULT_STORE_TYPE); + LOG.warn("Using deprecated default password for keystore '{}'.", path); + sslFactoryBuilder.withIdentityMaterial(keystore, CertificateStore.OLD_DEFAULT_PASSWORD.toCharArray()); + } + } + + static KeyStore loadTrustStoreWithBouncyCastle(Path keystorePath, @Nullable String keystorePassword, String keystoreType) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException { + KeyStore keystore = KeyStore.getInstance(keystoreType, new BouncyCastleProvider()); + if (keystorePassword != null) { + loadKeyStoreWithPassword(keystorePath, keystore, keystorePassword); + } else { + try { + loadKeyStoreWithPassword(keystorePath, keystore, CertificateStore.DEFAULT_PASSWORD); + } catch (Exception e) { + loadKeyStoreWithPassword(keystorePath, keystore, CertificateStore.OLD_DEFAULT_PASSWORD); + LOG.warn("Using deprecated default password for truststore '{}'.", keystorePath); + } + } + return keystore; + } + + private static void loadKeyStoreWithPassword(Path keystorePath, KeyStore keystore, String oldDefaultPassword) throws IOException, NoSuchAlgorithmException, CertificateException { try (InputStream keystoreInputStream = Files.newInputStream(keystorePath, StandardOpenOption.READ)) { - KeyStore keystore = KeyStore.getInstance(keystoreType, new BouncyCastleProvider()); - keystore.load(keystoreInputStream, keystorePassword); - return keystore; + keystore.load(keystoreInputStream, oldDefaultPassword.toCharArray()); } } diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ssl/CertificateStore.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ssl/CertificateStore.java index b285d3bb478..79d490cb12e 100644 --- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ssl/CertificateStore.java +++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ssl/CertificateStore.java @@ -20,15 +20,22 @@ package org.sonar.scanner.http.ssl; import java.nio.file.Path; +import java.util.Optional; +import javax.annotation.Nullable; public class CertificateStore { - public static final String DEFAULT_PASSWORD = "sonar"; + public static final String DEFAULT_PASSWORD = "changeit"; + /** + * @deprecated it was a bad decision to use this value as default password, as the keytool utility requires a password to be at least 6 characters long + */ + @Deprecated(since = "11.4") + public static final String OLD_DEFAULT_PASSWORD = "sonar"; public static final String DEFAULT_STORE_TYPE = "PKCS12"; private final Path path; private final String keyStorePassword; private final String keyStoreType; - public CertificateStore(Path path, String keyStorePassword) { + public CertificateStore(Path path, @Nullable String keyStorePassword) { this.path = path; this.keyStorePassword = keyStorePassword; this.keyStoreType = DEFAULT_STORE_TYPE; @@ -38,8 +45,8 @@ public class CertificateStore { return path; } - public String getKeyStorePassword() { - return keyStorePassword; + public Optional getKeyStorePassword() { + return Optional.ofNullable(keyStorePassword); } public String getKeyStoreType() { -- cgit v1.2.3