SCANJLIB-256 Add support for empty keystore passwords (#230)

Author: henryju

batch-interface/pom.xml

@@ -3,7 +3,7 @@
   <parent>
     <groupId>org.sonarsource.scanner.lib</groupId>
     <artifactId>sonar-scanner-java-library-parent</artifactId>
-    <version>3.3-SNAPSHOT</version>
+    <version>3.2.1-SNAPSHOT</version>
   </parent>
 
   <artifactId>sonar-scanner-java-library-batch-interface</artifactId>

batch/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.sonarsource.scanner.lib</groupId>
     <artifactId>sonar-scanner-java-library-parent</artifactId>
-    <version>3.3-SNAPSHOT</version>
+    <version>3.2.1-SNAPSHOT</version>
   </parent>
 
   <artifactId>sonar-scanner-java-library-batch</artifactId>

its/it-simple-scanner/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.sonarsource.scanner.lib</groupId>
     <artifactId>it</artifactId>
-    <version>3.3-SNAPSHOT</version>
+    <version>3.2.1-SNAPSHOT</version>
   </parent>
 
   <artifactId>it-scanner-java-library-simple-scanner</artifactId>

its/it-tests/pom.xml

@@ -3,7 +3,7 @@
   <parent>
     <groupId>org.sonarsource.scanner.lib</groupId>
     <artifactId>it</artifactId>
-    <version>3.3-SNAPSHOT</version>
+    <version>3.2.1-SNAPSHOT</version>
   </parent>
 
   <artifactId>it-sonar-scanner-java-library</artifactId>

its/pom.xml

@@ -6,7 +6,7 @@
   <parent>
     <groupId>org.sonarsource.scanner.lib</groupId>
     <artifactId>sonar-scanner-java-library-parent</artifactId>
-    <version>3.3-SNAPSHOT</version>
+    <version>3.2.1-SNAPSHOT</version>
   </parent>
 
   <artifactId>it</artifactId>

lib/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.sonarsource.scanner.lib</groupId>
     <artifactId>sonar-scanner-java-library-parent</artifactId>
-    <version>3.3-SNAPSHOT</version>
+    <version>3.2.1-SNAPSHOT</version>
   </parent>
 
   <artifactId>sonar-scanner-java-library</artifactId>

lib/src/main/java/org/sonarsource/scanner/lib/internal/facade/forked/ScannerEngineLauncher.java

@@ -33,6 +33,7 @@
 import org.slf4j.LoggerFactory;
 import org.sonarsource.scanner.lib.ScannerProperties;
 import org.sonarsource.scanner.lib.internal.cache.CachedFile;
+import org.sonarsource.scanner.lib.internal.http.OkHttpClientFactory;
 
 public class ScannerEngineLauncher {
 
@@ -105,6 +106,7 @@ private List<String> buildArgs(Map<String, String> properties) {
     if (javaOpts != null) {
       args.addAll(split(javaOpts));
     }
+    args.add("-D" + OkHttpClientFactory.BC_IGNORE_USELESS_PASSWD + "=true");
     args.add("-jar");
     args.add(scannerEngineJar.getPathInCache().toAbsolutePath().toString());
     return args;

lib/src/main/java/org/sonarsource/scanner/lib/internal/http/OkHttpClientFactory.java

@@ -42,6 +42,7 @@
 import okhttp3.OkHttpClient;
 import okhttp3.logging.HttpLoggingInterceptor;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.util.Properties;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.sonarsource.scanner.lib.internal.http.ssl.CertificateStore;
@@ -60,6 +61,8 @@ public class OkHttpClientFactory {
   private static final String PROXY_AUTHORIZATION = "Proxy-Authorization";
   // use the same cookie jar for all instances
   private static final JavaNetCookieJar COOKIE_JAR;
+  // This property tells Bouncycastle to not fail on empty keystore passwords
+  public static final String BC_IGNORE_USELESS_PASSWD = "org.bouncycastle.pkcs12.ignore_useless_passwd";
 
   private OkHttpClientFactory() {
     // only statics
@@ -158,6 +161,7 @@ private static void loadIdentityMaterialWithDefaultPassword(SSLFactory.Builder s
 
   static KeyStore loadTrustStoreWithBouncyCastle(Path keystorePath, @Nullable String keystorePassword, String keystoreType) throws IOException,
     KeyStoreException, CertificateException, NoSuchAlgorithmException {
+    Properties.setThreadOverride(BC_IGNORE_USELESS_PASSWD, true);
     KeyStore keystore = KeyStore.getInstance(keystoreType, new BouncyCastleProvider());
     if (keystorePassword != null) {
       loadKeyStoreWithPassword(keystorePath, keystore, keystorePassword);

lib/src/test/java/org/sonarsource/scanner/lib/internal/facade/forked/ScannerEngineLauncherTest.java

@@ -59,7 +59,7 @@ void execute() {
     launcher.execute(properties);
 
     verify(javaRunner).execute(
-      eq(List.of("-Xmx4g", "-Xms1g", "-jar", scannerEngine.toAbsolutePath().toString())),
+      eq(List.of("-Xmx4g", "-Xms1g", "-Dorg.bouncycastle.pkcs12.ignore_useless_passwd=true", "-jar", scannerEngine.toAbsolutePath().toString())),
       eq("{\"scannerProperties\":[{\"key\":\"sonar.host.url\",\"value\":\"http://localhost:9000\"},{\"key\":\"sonar.scanner.javaOpts\",\"value\":\"-Xmx4g -Xms1g\"}]}"),
       any());
   }
@@ -76,7 +76,7 @@ void replace_null_values_by_empty_in_json_and_ignore_null_key() {
     launcher.execute(properties);
 
     verify(javaRunner).execute(
-      eq(List.of("-jar", scannerEngine.toAbsolutePath().toString())),
+      eq(List.of("-Dorg.bouncycastle.pkcs12.ignore_useless_passwd=true", "-jar", scannerEngine.toAbsolutePath().toString())),
       eq("{\"scannerProperties\":[{\"key\":\"sonar.myProp\",\"value\":\"\"}]}"),
       any());
   }

lib/src/test/java/org/sonarsource/scanner/lib/internal/http/OkHttpClientFactoryTest.java

@@ -32,6 +32,7 @@
 import javax.annotation.Nullable;
 import javax.net.ssl.SSLHandshakeException;
 import nl.altindag.ssl.exception.GenericKeyStoreException;
+import nl.altindag.ssl.exception.GenericSecurityException;
 import okhttp3.Request;
 import okhttp3.Response;
 import org.junit.jupiter.api.BeforeEach;
@@ -85,15 +86,17 @@ void prepareMocks() {
 
   @ParameterizedTest
   @CsvSource({
-    "keystore_changeit.p12, wrong,        false",
-    "keystore_changeit.p12, changeit,     true",
-    "keystore_changeit.p12,,              true",
-    "keystore_sonar.p12,    wrong,        false",
-    "keystore_sonar.p12,    sonar,        true",
-    "keystore_sonar.p12,,                 true",
-    "keystore_anotherpwd.p12, wrong,      false",
-    "keystore_anotherpwd.p12, anotherpwd, true",
-    "keystore_anotherpwd.p12,,            false"})
+    "keystore_changeit.p12,   wrong,        false",
+    "keystore_changeit.p12,   changeit,     true",
+    "keystore_changeit.p12,,                true",
+    "keystore_sonar.p12,      wrong,        false",
+    "keystore_sonar.p12,      sonar,        true",
+    "keystore_sonar.p12,,                   true",
+    "keystore_anotherpwd.p12, wrong,        false",
+    "keystore_anotherpwd.p12, anotherpwd,   true",
+    "keystore_anotherpwd.p12,,              false",
+    "keystore_emptypwd.p12,   wrong,        true",
+    "keystore_emptypwd.p12,,                true"})
   void it_should_fail_if_invalid_truststore_password(String keystore, @Nullable String password, boolean shouldSucceed) {
     bootstrapProperties.put("sonar.scanner.truststorePath", toPath(requireNonNull(OkHttpClientFactoryTest.class.getResource("/ssl/" + keystore))).toString());
     if (password != null) {
@@ -106,21 +109,23 @@ void it_should_fail_if_invalid_truststore_password(String keystore, @Nullable St
       assertThatThrownBy(() -> OkHttpClientFactory.create(new HttpConfig(bootstrapProperties, sonarUserHome)))
         .isInstanceOf(GenericKeyStoreException.class)
         .hasMessageContaining("Unable to read truststore from")
-        .hasStackTraceContaining("wrong password or corrupted file");
+        .hasStackTraceContaining("password");
     }
   }
 
   @ParameterizedTest
   @CsvSource({
-    "keystore_changeit.p12, wrong,        false",
-    "keystore_changeit.p12, changeit,     true",
-    "keystore_changeit.p12,,              true",
-    "keystore_sonar.p12,    wrong,        false",
-    "keystore_sonar.p12,    sonar,        true",
-    "keystore_sonar.p12,,                 true",
-    "keystore_anotherpwd.p12, wrong,      false",
-    "keystore_anotherpwd.p12, anotherpwd, true",
-    "keystore_anotherpwd.p12,,            false"})
+    "keystore_changeit.p12,   wrong,        false",
+    "keystore_changeit.p12,   changeit,     true",
+    "keystore_changeit.p12,,                true",
+    "keystore_sonar.p12,      wrong,        false",
+    "keystore_sonar.p12,      sonar,        true",
+    "keystore_sonar.p12,,                   true",
+    "keystore_anotherpwd.p12, wrong,        false",
+    "keystore_anotherpwd.p12, anotherpwd,   true",
+    "keystore_anotherpwd.p12,,              false",
+    "keystore_emptypwd.p12,   wrong,        true",
+    "keystore_emptypwd.p12,,                true"})
   void it_should_fail_if_invalid_keystore_password(String keystore, @Nullable String password, boolean shouldSucceed) {
     bootstrapProperties.put("sonar.scanner.keystorePath", toPath(requireNonNull(OkHttpClientFactoryTest.class.getResource("/ssl/" + keystore))).toString());
     if (password != null) {
@@ -131,7 +136,7 @@ void it_should_fail_if_invalid_keystore_password(String keystore, @Nullable Stri
       assertThatNoException().isThrownBy(() -> OkHttpClientFactory.create(new HttpConfig(bootstrapProperties, sonarUserHome)));
     } else {
       assertThatThrownBy(() -> OkHttpClientFactory.create(new HttpConfig(bootstrapProperties, sonarUserHome)))
-        .isInstanceOf(GenericKeyStoreException.class)
+        .isInstanceOf(GenericSecurityException.class)
         .hasMessageContaining("keystore password was incorrect");
     }
   }