[JENKINS-72249] switch to JcaContentSignerBuilder in order to obtain a ContentSigner

[jtnord]

JENKINS-72249 can not connect JNLP4 agents to controller with BC-FIPS configured

Switch implementation to use classes available in both regular and fips versions of bouncycastle.

AsymmetricKeyParameter was available in bcprov but not in bc-fips. JCAContentSignerBuilder is available in the regular bcpkix and bcpkix-fips.

The higher level API also has the benefit that the code becomes more legible.

Testing done

• tested a snapshot of this in a clean non fips environment and provisioned a k8s based agent using JNLP4.

• tested a snapshot of this PR in the environment that exhibited the issue and validated that k8s based JNLP4 agents can launch without issue after this change.

• Additionally excluded the bouncycastle jars and substituted in the bc-fips variants, registered the provider in the tests and ran the tests that covered this area (mvn -Dtest=ReadWriteKeyTest InstanceIdentityTest).

expand to see the diff used

diff --git a/pom.xml b/pom.xml
index 606eb3a..6e10a0e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -61,9 +61,33 @@
     </dependencies>
   </dependencyManagement>
   <dependencies>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bc-fips</artifactId>
+      <version>1.0.2.4</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-fips</artifactId>
+      <version>1.0.7</version>
+    </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>bouncycastle-api</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcpkix-jdk18on</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcprov-jdk18on</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcutil-jdk18on</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
   </dependencies>
 </project>
diff --git a/src/test/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentityTest.java b/src/test/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentityTest.java
index d7743ad..0cbd90f 100644
--- a/src/test/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentityTest.java
+++ b/src/test/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentityTest.java
@@ -31,7 +31,7 @@ import java.io.File;
 import java.io.FileInputStream;
 
 import static org.junit.Assert.*;
-
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;
@@ -39,6 +39,10 @@ import org.jvnet.hudson.test.recipes.LocalData;
 
 public class InstanceIdentityTest {
 
+    static {
+        java.security.Security.addProvider(new BouncyCastleFipsProvider());
+    }
+
     @Rule public JenkinsRule r = new JenkinsRule();
 
     private static final String TEST_IDENTITY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6R6FrlvuyBPstxHKCnRL+oKzEGlgGydD/1Tj/LhCAzgXKnJZFEvo3rrz8CqcWbW3gt04bNXcET9NvAATisR1KP2Zi3EUG/jsXy7q9tr9t0NVAgGC5i5MtU+VFo/te0xAou7nsGng6T/FCXCq1nSeBdfAEQ23+fwyNtJpSbP2EqOrycLox+Xh6M91rt1c3JEHEe/FIrD+NhHQ4m6R/HwWH6DDq8W7P8y9j9/ToVSBBZr0pRETBZre5nkJiwJ/EWnbjqqJ/LguOMTukxPXe8/b9CDFrkuzpYUn8ChtL0DDCE/SoI9jwBSXwj5kQyNoyC9sVrbmEbuAPZ2dRzcDen09CwIDAQAB";
diff --git a/src/test/java/org/jenkinsci/main/modules/instance_identity/ReadWriteKeyTest.java b/src/test/java/org/jenkinsci/main/modules/instance_identity/ReadWriteKeyTest.java
index 5ba9fcf..e3c0dda 100644
--- a/src/test/java/org/jenkinsci/main/modules/instance_identity/ReadWriteKeyTest.java
+++ b/src/test/java/org/jenkinsci/main/modules/instance_identity/ReadWriteKeyTest.java
@@ -35,8 +35,10 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.KeyPair;
+import java.security.Provider;
 import java.security.Security;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+//import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.jenkinsci.main.modules.instance_identity.pem.PEMHelper;
 import org.junit.BeforeClass;
 import org.junit.Rule;
@@ -45,6 +47,9 @@ import org.junit.rules.TemporaryFolder;
 
 public class ReadWriteKeyTest {
 
+    static {
+        java.security.Security.addProvider(new BouncyCastleFipsProvider());
+    }
     private static Path PEM_PCKS1_FILE;
     private static Path PEM_PCKS8_FILE;
     private static byte[] KEY_PRIVATE_ENCODED;
@@ -70,7 +75,7 @@ public class ReadWriteKeyTest {
                 .getClassLoader()
                 .getResource("private-key-public-encoded.bin")
                 .toURI()));
-        Security.addProvider(new BouncyCastleProvider());
+        //Security.addProvider(new BouncyCastleProvider());
     }
 
     @Test

Submitter checklist

Preview Give feedback

1. Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
2. Ensure that the pull request title represents the desired changelog entry
3. Please describe what you did
4. Link to relevant issues in GitHub or Jira
5. Link to relevant pull requests, esp. upstream and downstream changes
6. Ensure you have provided tests - that demonstrates feature works or fixes the issue

[timja]

nice

[jglick]

@jtnord would you like a release now, or are you waiting for a review from @olamy?

[jtnord]

Thanks for asking @jglick.
I was giving @olamy chance to review as I'm not in a rush.
I should have write permissions here also to be able to merge.

[olamy]

lgtm