diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java index 09265c58ce74..67e224f8845e 100644 --- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java +++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/http/ScannerWsClientProvider.java @@ -19,6 +19,7 @@ */ package org.sonar.scanner.http; +import java.io.IOException; import java.io.InputStream; import java.net.InetSocketAddress; import java.net.Proxy; @@ -26,11 +27,16 @@ import java.nio.file.Path; import java.nio.file.StandardOpenOption; import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; import java.time.Duration; import java.time.format.DateTimeParseException; import nl.altindag.ssl.SSLFactory; import nl.altindag.ssl.exception.GenericKeyStoreException; import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.sonar.api.CoreProperties; import org.sonar.api.notifications.AnalysisWarnings; import org.sonar.api.utils.System2; @@ -52,6 +58,9 @@ import static org.sonar.core.config.ProxyProperties.HTTP_PROXY_USER; public class ScannerWsClientProvider { + + private static final Logger LOG = LoggerFactory.getLogger(ScannerWsClientProvider.class); + static final int DEFAULT_CONNECT_TIMEOUT = 5; static final int DEFAULT_RESPONSE_TIMEOUT = 0; static final String READ_TIMEOUT_SEC_PROPERTY = "sonar.ws.timeout"; @@ -149,22 +158,27 @@ private static SSLFactory configureSsl(SslConfig sslConfig, System2 system2) { } var trustStoreConfig = sslConfig.getTrustStore(); if (trustStoreConfig != null && Files.exists(trustStoreConfig.getPath())) { - KeyStore trustStore = loadKeyStore( - trustStoreConfig.getPath(), - trustStoreConfig.getKeyStorePassword().toCharArray(), - trustStoreConfig.getKeyStoreType()); + KeyStore trustStore; + try { + trustStore = loadKeyStoreWithBouncyCastle( + trustStoreConfig.getPath(), + trustStoreConfig.getKeyStorePassword().toCharArray(), + trustStoreConfig.getKeyStoreType()); + LOG.debug("Loaded truststore from '{}' containing {} certificates", trustStoreConfig.getPath(), trustStore.size()); + } catch (KeyStoreException | IOException | CertificateException | NoSuchAlgorithmException e) { + throw new GenericKeyStoreException("Unable to read truststore from '" + trustStoreConfig.getPath() + "'", e); + } sslFactoryBuilder.withTrustMaterial(trustStore); } return sslFactoryBuilder.build(); } - public static KeyStore loadKeyStore(Path keystorePath, char[] keystorePassword, String keystoreType) { + static KeyStore loadKeyStoreWithBouncyCastle(Path keystorePath, char[] keystorePassword, String keystoreType) throws IOException, + KeyStoreException, CertificateException, NoSuchAlgorithmException { try (InputStream keystoreInputStream = Files.newInputStream(keystorePath, StandardOpenOption.READ)) { KeyStore keystore = KeyStore.getInstance(keystoreType, new BouncyCastleProvider()); keystore.load(keystoreInputStream, keystorePassword); return keystore; - } catch (Exception e) { - throw new GenericKeyStoreException(e); } } diff --git a/sonar-scanner-engine/src/test/java/org/sonar/scanner/http/ScannerWsClientProviderTest.java b/sonar-scanner-engine/src/test/java/org/sonar/scanner/http/ScannerWsClientProviderTest.java index e605999ddd34..3aea5460db9a 100644 --- a/sonar-scanner-engine/src/test/java/org/sonar/scanner/http/ScannerWsClientProviderTest.java +++ b/sonar-scanner-engine/src/test/java/org/sonar/scanner/http/ScannerWsClientProviderTest.java @@ -30,6 +30,7 @@ import java.util.HashMap; import java.util.Map; import java.util.Properties; +import nl.altindag.ssl.exception.GenericKeyStoreException; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Tag; @@ -319,6 +320,19 @@ void it_should_trust_server_self_signed_certificate_when_certificate_is_in_trust assertThat(r.content()).isEqualTo("Success"); } } + + @Test + void it_should_fail_if_invalid_truststore_password() { + scannerProps.put("sonar.host.url", sonarqubeMock.baseUrl()); + scannerProps.put("sonar.scanner.truststorePath", toPath(requireNonNull(ScannerWsClientProviderTest.class.getResource("/ssl/client-truststore.p12"))).toString()); + scannerProps.put("sonar.scanner.truststorePassword", "wrong_password"); + + var scannerPropsObj = new ScannerProperties(scannerProps); + var thrown = assertThrows(GenericKeyStoreException.class, + () -> underTest.provide(scannerPropsObj, env, GLOBAL_ANALYSIS_MODE, system2, ANALYSIS_WARNINGS, sonarUserHome)); + + assertThat(thrown).hasStackTraceContaining("Unable to read truststore"); + } } @Nested