SCANJLIB-232 Add support for truststore generated by openssl

Using the Bouncycastle library, we can now load trusted keys from a pkcs12 keystore that has not been created by keytool.

Author: henryju

its/it-tests/pom.xml

@@ -59,6 +59,12 @@
       <artifactId>assertj-core</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>com.tngtech.java</groupId>
+      <artifactId>junit-dataprovider</artifactId>
+      <version>1.13.1</version>
+      <scope>test</scope>
+    </dependency>
 
     <!-- Logging -->
     <dependency>

its/it-tests/src/test/java/com/sonar/scanner/lib/it/SSLTest.java

@@ -23,6 +23,9 @@
 import com.sonar.orchestrator.junit4.OrchestratorRule;
 import com.sonar.orchestrator.util.NetworkUtils;
 import com.sonar.scanner.lib.it.tools.SimpleScanner;
+import com.tngtech.java.junit.dataprovider.DataProvider;
+import com.tngtech.java.junit.dataprovider.DataProviderRunner;
+import com.tngtech.java.junit.dataprovider.UseDataProvider;
 import java.net.InetAddress;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -47,17 +50,22 @@
 import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.Test;
+import org.junit.runner.RunWith;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
+@RunWith(DataProviderRunner.class)
 public class SSLTest {
 
   // This keystore contains only the CA used to sign the server certificate
-  private static final String KEYSTORE_CLIENT_WITH_CA = "/SSLTest/client-with-ca.p12";
+  private static final String KEYSTORE_CLIENT_WITH_CA_KEYTOOL = "/SSLTest/client-with-ca-keytool.p12";
+  private static final String KEYSTORE_CLIENT_WITH_CA_OPENSSL = "/SSLTest/client-with-ca-openssl.p12";
   private static final String CLIENT_WITH_CA_KEYSTORE_PASSWORD = "pwdClientCAP12";
 
   // This keystore contains only the server certificate
-  private static final String KEYSTORE_CLIENT_WITH_CERTIFICATE = "/SSLTest/client-with-certificate.p12";
+  private static final String KEYSTORE_CLIENT_WITH_CERTIFICATE_KEYTOOL = "/SSLTest/client-with-certificate-keytool.p12";
+  private static final String KEYSTORE_CLIENT_WITH_CERTIFICATE_OPENSSL = "/SSLTest/client-with-certificate-openssl.p12";
+  private static final String KEYSTORE_CLIENT_WITH_CERTIFICATE_OPENSSL_JDKTRUST = "/SSLTest/client-with-certificate-openssl-jdktrust.p12";
   private static final String CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD = "pwdClientP12";
 
   private static final String SERVER_KEYSTORE = "/SSLTest/server.p12";
@@ -171,7 +179,7 @@ public void simple_analysis_with_server_and_client_certificate() throws Exceptio
     assertThat(buildResult.getLastStatus()).isNotZero();
     assertThat(buildResult.getLogs()).contains("javax.net.ssl.SSLHandshakeException");
 
-    Path clientTruststore = Paths.get(SSLTest.class.getResource(KEYSTORE_CLIENT_WITH_CA).toURI()).toAbsolutePath();
+    Path clientTruststore = Paths.get(SSLTest.class.getResource(KEYSTORE_CLIENT_WITH_CA_KEYTOOL).toURI()).toAbsolutePath();
     assertThat(clientTruststore).exists();
     Path clientKeystore = Paths.get(SSLTest.class.getResource(CLIENT_KEYSTORE).toURI()).toAbsolutePath();
     assertThat(clientKeystore).exists();
@@ -197,7 +205,7 @@ public void simple_analysis_with_server_and_without_client_certificate_is_failin
     assertThat(buildResult.getLastStatus()).isNotZero();
     assertThat(buildResult.getLogs()).contains("javax.net.ssl.SSLHandshakeException");
 
-    Path clientTruststore = Paths.get(SSLTest.class.getResource(KEYSTORE_CLIENT_WITH_CA).toURI()).toAbsolutePath();
+    Path clientTruststore = Paths.get(SSLTest.class.getResource(KEYSTORE_CLIENT_WITH_CA_KEYTOOL).toURI()).toAbsolutePath();
     assertThat(clientTruststore).exists();
     Path clientKeystore = Paths.get(SSLTest.class.getResource(CLIENT_KEYSTORE).toURI()).toAbsolutePath();
     assertThat(clientKeystore).exists();
@@ -227,16 +235,8 @@ private static Path project(String projectName) {
   }
 
   @Test
-  public void simple_analysis_with_server_certificate_using_ca_in_truststore() throws Exception {
-    simple_analysis_with_server_certificate(KEYSTORE_CLIENT_WITH_CA, CLIENT_WITH_CA_KEYSTORE_PASSWORD);
-  }
-
-  @Test
-  public void simple_analysis_with_server_certificate_using_server_certificate_in_truststore() throws Exception {
-    simple_analysis_with_server_certificate(KEYSTORE_CLIENT_WITH_CERTIFICATE, CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD);
-  }
-
-  private void simple_analysis_with_server_certificate(String clientTrustStore, String keyStorePassword) throws Exception {
+  @UseDataProvider("variousClientTrustStores")
+  public void simple_analysis_with_server_certificate(String clientTrustStore, String keyStorePassword, boolean useJavaSslProperties) throws Exception {
     startSSLTransparentReverseProxy(false);
     SimpleScanner scanner = new SimpleScanner();
 
@@ -248,10 +248,28 @@ private void simple_analysis_with_server_certificate(String clientTrustStore, St
     assertThat(clientTruststore).exists();
 
     Map<String, String> params = new HashMap<>();
-    params.put("javax.net.ssl.trustStore", clientTruststore.toString());
-    params.put("javax.net.ssl.trustStorePassword", keyStorePassword);
+    if (useJavaSslProperties) {
+      params.put("javax.net.ssl.trustStore", clientTruststore.toString());
+      params.put("javax.net.ssl.trustStorePassword", keyStorePassword);
+    } else {
+      params.put("sonar.scanner.truststorePath", clientTruststore.toString());
+      params.put("sonar.scanner.truststorePassword", keyStorePassword);
+    }
 
     buildResult = scanner.executeSimpleProject(project("js-sample"), "https://localhost:" + httpsPort, params, Map.of());
+    System.out.println(buildResult.getLogs());
     assertThat(buildResult.getLastStatus()).isZero();
   }
+
+  @DataProvider()
+  public static Object[][] variousClientTrustStores() {
+    return new Object[][] {
+      {KEYSTORE_CLIENT_WITH_CA_KEYTOOL, CLIENT_WITH_CA_KEYSTORE_PASSWORD, true},
+      {KEYSTORE_CLIENT_WITH_CA_OPENSSL, CLIENT_WITH_CA_KEYSTORE_PASSWORD, false},
+      {KEYSTORE_CLIENT_WITH_CERTIFICATE_KEYTOOL, CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD, true},
+      {KEYSTORE_CLIENT_WITH_CERTIFICATE_OPENSSL, CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD, false},
+      {KEYSTORE_CLIENT_WITH_CERTIFICATE_OPENSSL_JDKTRUST, CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD, false},
+      {KEYSTORE_CLIENT_WITH_CERTIFICATE_OPENSSL_JDKTRUST, CLIENT_WITH_CERTIFICATE_KEYSTORE_PASSWORD, true}
+    };
+  }
 }

its/it-tests/src/test/java/com/sonar/scanner/lib/it/tools/SimpleScanner.java

@@ -39,11 +39,11 @@ public class SimpleScanner {
 
   public SimpleScanner() {
     if (!Files.exists(JAR_PATH)) {
-      throw new IllegalStateException("Could not find simple-scanner artifact in " + JAR_PATH.toString());
+      throw new IllegalStateException("Could not find simple-scanner artifact in " + JAR_PATH);
     }
     javaBin = Paths.get(System.getProperty("java.home"), "bin", "java");
     if (!Files.exists(javaBin)) {
-      throw new IllegalStateException("Could not find java in " + javaBin.toString());
+      throw new IllegalStateException("Could not find java in " + javaBin);
     }
 
     exec = new CommandExecutor(javaBin);
@@ -75,7 +75,7 @@ private Map<String, String> getSimpleProjectProperties(Path baseDir, String host
     analysisProperties.load(Files.newInputStream(propertiesFile));
     analysisProperties.setProperty("sonar.projectBaseDir", baseDir.toAbsolutePath().toString());
     analysisProperties.setProperty("sonar.host.url", host);
-    analysisProperties.setProperty("sonar.login", ScannerJavaLibraryTestSuite.ORCHESTRATOR.getDefaultAdminToken());
+    analysisProperties.setProperty("sonar.token", ScannerJavaLibraryTestSuite.ORCHESTRATOR.getDefaultAdminToken());
     analysisProperties.putAll(extraProps);
     return (Map) analysisProperties;
   }

its/it-tests/src/test/resources/SSLTest/README.md

@@ -286,14 +286,14 @@ The `server.p12` file can now be used to start a TLS server.
 
 #### Now let's a client to connect to our TLS server
 
-Since we've created a self signed certificate. The client must either have our certificate (without the private key) or must have the CA certificate.
+Since we've created a self-signed certificate. The client must either have our certificate (without the private key) or must have the CA certificate.
 
-##### Let's create a JKS with the server certificate
+##### Let's create a PKCS12 keystore with the server certificate
 
-This one is more easier :
+Keytool is adding extra fields to the keystore, that are not supported by older versions of openssl. Waiting for openssl 3.3.0+ and the possibility to use the `-jdktrust anyExtendedKeyUsage` option, we have to use keytool to create the keystore.
 
 ```bash
-$ keytool -import -alias localhost -keystore client-with-certificate.p12 -file server.pem 
+$ keytool -import -storetype PKCS12 -alias localhost -keystore client-with-certificate-keytool.p12 -file server.pem 
   Enter keystore password: pwdClientP12 
   Re-enter new password: pwdClientP12
   Owner: CN=localhost, O=SonarSource SA, L=Geneva, ST=Geneva, C=CH
@@ -314,10 +314,23 @@ $ keytool -import -alias localhost -keystore client-with-certificate.p12 -file s
 The password is `pwdClientP12` and you have to `Trust this certificate`.
 This PKCS12 file must be used in a TrustedKeyStore.
 
-##### Let's create a JKS with CA certificate
+At the moment, Java can only support openssl truststore if using the new property `-jdktrust`
+```bash
+$ openssl version
+OpenSSL 3.3.1 4 Jun 2024 (Library: OpenSSL 3.3.1 4 Jun 2024)
+$ openssl pkcs12 -export -caname localhost -nokeys -in server.pem -out client-with-certificate-openssl-jdktrust.p12 --passout pass:pwdClientP12 -jdktrust anyExtendedKeyUsage
+```
+
+Thanks to bouncycastle addition, we can now accept openssl generated PKCS12 keystore out-of-the-box.
 
 ```bash
-$ keytool -import -trustcacerts -alias localhost -keystore client-with-ca.p12 -file ca.crt
+$ openssl pkcs12 -export -caname localhost -nokeys -in server.pem -out client-with-certificate-openssl.p12 --passout pass:pwdClientP12
+```
+
+##### Let's also create a PKCS12 keystore with only the CA certificate
+
+```bash
+$ keytool -import -storetype PKCS12 -trustcacerts -alias localhost -keystore client-with-ca-keytool.p12 -file ca.crt
   Enter keystore password: pwdClientCAP12 
   Re-enter new password: pwdClientCAP12
   Owner: CN=SonarSource, O=SonarSource SA, L=Geneva, ST=Geneva, C=CH
@@ -363,6 +376,12 @@ $ keytool -import -trustcacerts -alias localhost -keystore client-with-ca.p12 -f
 The password is `pwdClientCAP12` and you have to `Trust this certificate`.
 This PKCS12 file must be used in a TrustedKeyStore.
 
+Thanks to bouncycastle addition, we can now accept openssl generated PKCS12 keystore out-of-the-box:
+
+```bash
+$ openssl pkcs12 -export -caname localhost -nokeys -in ca.crt -out client-with-ca-openssl.p12 --passout pass:pwdClientCAP12
+```
+
 ### Create a certificate that will be used to authenticate a user
 
 The principle is the same we'll have a CA authority signing certificates that will be send by the user to the server.
@@ -401,7 +420,7 @@ subject=C = CH, ST = Geneva, L = Geneva, O = SonarSource SA, CN = Julien Henry
 Getting CA Private Key
 ```
 
-Let's create the pkcs12 certificate containing the client certificate
+Let's create the pkcs12 keystore containing the client certificate
 
 ```bash
 $ openssl pkcs12 -export -in client.pem -inkey client.key -name julienhenry -out client.p12
@@ -413,7 +432,7 @@ This will go to client keyStore.
 Now we'll generate the `server-with-client-ca.p12` file that will have the CA certificate. Since we don't need to add the key of the certificate (only required to sign, not to verify), we can import it directly with keytool.
 
 ```bash
-$ keytool -import -trustcacerts -alias client-ca -keystore server-with-client-ca.p12 -file ca-client-auth.crt
+$ keytool -import -storetype PKCS12 -trustcacerts -alias client-ca -keystore server-with-client-ca.p12 -file ca-client-auth.crt
 Enter keystore password: pwdServerWithClientCA 
 Re-enter new password: pwdServerWithClientCA
 Owner: CN=SonarSource, O=SonarSource SA, L=Geneva, ST=Geneva, C=CH