[JENKINS-74907] Add validations when Jenkins is in FIPS mode

pom.xml

@@ -75,8 +75,8 @@ THE SOFTWARE.
   <properties>
     <changelist>999999-SNAPSHOT</changelist>
     <!-- https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ -->
-    <jenkins.baseline>2.452</jenkins.baseline>
-    <jenkins.version>${jenkins.baseline}.4</jenkins.version>
+    <jenkins.baseline>2.462</jenkins.baseline>
+    <jenkins.version>${jenkins.baseline}.3</jenkins.version>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
     <hpi.compatibleSinceVersion>1626</hpi.compatibleSinceVersion>
     <spotless.check.skip>false</spotless.check.skip>
@@ -87,7 +87,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
         <artifactId>bom-${jenkins.baseline}.x</artifactId>
-        <version>3761.vd922730f0fd2</version>
+        <version>3722.vcc62e7311580</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>

src/main/java/hudson/plugins/ec2/EC2Cloud.java

@@ -77,6 +77,7 @@
 import hudson.model.PeriodicWork;
 import hudson.model.TaskListener;
 import hudson.plugins.ec2.util.AmazonEC2Factory;
+import hudson.plugins.ec2.util.FIPS140Utils;
 import hudson.security.ACL;
 import hudson.slaves.Cloud;
 import hudson.slaves.NodeProvisioner.PlannedNode;
@@ -300,7 +301,9 @@
             LOGGER.fine(() -> "(resolvePrivateKey) Using jenkins ssh credential");
             SSHUserPrivateKey privateKeyCredential = getSshCredential(sshKeysCredentialsId, Jenkins.get());
             if (privateKeyCredential != null) {
-                return new EC2PrivateKey(privateKeyCredential.getPrivateKey());
+                String privateKey = privateKeyCredential.getPrivateKey();
+                FIPS140Utils.ensurePrivateKeyInFipsMode(privateKey);
+                return new EC2PrivateKey(privateKey);
             }
         }
         return null;
@@ -433,7 +436,9 @@
         }
 
         if (this.sshKeysCredentialsId == null && this.privateKey != null) {
-            migratePrivateSshKeyToCredential(this.privateKey.getPrivateKey());
+            String privateKey = this.privateKey.getPrivateKey();
+            FIPS140Utils.ensurePrivateKeyInFipsMode(privateKey);
+            migratePrivateSshKeyToCredential(privateKey);
         }
         this.privateKey =
                 null; // This enforces it not to be persisted and that CasC will never output privateKey on export
@@ -1483,93 +1488,106 @@
                 }
             }
 
+            try {
+                FIPS140Utils.ensurePrivateKeyInFipsMode(privateKey);
+            } catch (IllegalArgumentException ex) {
+                validations.add(FormValidation.error(ex, ex.getLocalizedMessage()));
+            }
+
             validations.add(FormValidation.ok("SSH key validation successful"));
             return FormValidation.aggregate(validations);
         }
 
         /**
          * Tests the connection settings.
          *
          * Overriding needs to {@code @RequirePOST}
          * @param region
          * @param useInstanceProfileForCredentials
          * @param credentialsId
          * @param sshKeysCredentialsId
          * @param roleArn
          * @param roleSessionName
          * @return the validation result
          * @throws IOException
          * @throws ServletException
          */
         @RequirePOST
         public FormValidation doTestConnection(
                 @AncestorInPath ItemGroup context,
                 @QueryParameter String region,
                 @QueryParameter boolean useInstanceProfileForCredentials,
                 @QueryParameter String credentialsId,
                 @QueryParameter String sshKeysCredentialsId,
                 @QueryParameter String roleArn,
                 @QueryParameter String roleSessionName)
                 throws IOException, ServletException {
             if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
                 return FormValidation.ok();
             }
             try {
                 List<FormValidation> validations = new ArrayList<>();
 
                 LOGGER.fine(() -> "begin doTestConnection()");
                 String privateKey = "";
                 if (System.getProperty(SSH_PRIVATE_KEY_FILEPATH, "").isEmpty()) {
                     LOGGER.fine(() -> "static credential is in use");
                     SSHUserPrivateKey sshCredential = getSshCredential(sshKeysCredentialsId, context);
                     if (sshCredential != null) {
                         privateKey = sshCredential.getPrivateKey();
                     } else {
                         return FormValidation.error(
                                 "Failed to find credential \"" + sshKeysCredentialsId + "\" in store.");
                     }
                 } else {
                     EC2PrivateKey k = EC2PrivateKey.fetchFromDisk();
                     if (k == null) {
                         validations.add(FormValidation.error(
                                 "Failed to find private key file " + System.getProperty(SSH_PRIVATE_KEY_FILEPATH)));
                         if (!StringUtils.isEmpty(sshKeysCredentialsId)) {
                             validations.add(FormValidation.warning(
                                     "Private key file path defined, selected credential will be ignored"));
                         }
                         return FormValidation.aggregate(validations);
                     }
                     privateKey = k.getPrivateKey();
                 }
                 LOGGER.fine(() -> "private key found ok");
 
                 if (Util.fixEmpty(region) == null) {
                     region = DEFAULT_EC2_HOST;
                 }
 
                 AWSCredentialsProvider credentialsProvider = createCredentialsProvider(
                         useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
                 AmazonEC2 ec2 = AmazonEC2Factory.getInstance().connect(credentialsProvider, getEc2EndpointUrl(region));
                 ec2.describeInstances();
 
                 if (!privateKey.trim().isEmpty()) {
                     // check if this key exists
                     EC2PrivateKey pk = new EC2PrivateKey(privateKey);
                     if (pk.find(ec2) == null) {
                         validations.add(FormValidation.error(
                                 "The EC2 key pair private key isn't registered to this EC2 region (fingerprint is "
                                         + pk.getFingerprint() + ")"));
                     }
                 }
 
                 if (!System.getProperty(SSH_PRIVATE_KEY_FILEPATH, "").isEmpty()) {
                     if (!StringUtils.isEmpty(sshKeysCredentialsId)) {
                         validations.add(
                                 FormValidation.warning("Using private key file instead of selected credential"));
                     } else {
                         validations.add(FormValidation.ok("Using private key file"));
                     }
                 }
+
+                try {
+                    FIPS140Utils.ensurePrivateKeyInFipsMode(privateKey);
+                } catch (IllegalArgumentException ex) {
+                    validations.add(FormValidation.error(ex, ex.getLocalizedMessage()));
+                }
+
                 validations.add(FormValidation.ok(Messages.EC2Cloud_Success()));
                 return FormValidation.aggregate(validations);
             } catch (AmazonClientException e) {

src/main/java/hudson/plugins/ec2/WindowsData.java

@@ -2,10 +2,15 @@
 
 import hudson.Extension;
 import hudson.model.Descriptor;
+import hudson.plugins.ec2.util.FIPS140Utils;
+import hudson.util.FormValidation;
 import hudson.util.Secret;
 import java.util.Objects;
 import java.util.concurrent.TimeUnit;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 public class WindowsData extends AMITypeData {
 
@@ -22,7 +27,18 @@
             boolean useHTTPS,
             String bootDelay,
             boolean specifyPassword,
-            boolean allowSelfSignedCertificate) {
+            boolean allowSelfSignedCertificate)
+            throws Descriptor.FormException {
+        try {
+            FIPS140Utils.ensureNoPasswordLeak(useHTTPS, password);
+        } catch (IllegalArgumentException e) {
+            throw new Descriptor.FormException(e, "password");
+        }
+        try {
+            FIPS140Utils.ensureNoSelfSignedCertificate(allowSelfSignedCertificate);
+        } catch (IllegalArgumentException e) {
+            throw new Descriptor.FormException(e, "allowSelfSignedCertificate");
+        }
         this.password = Secret.fromString(password);
         this.useHTTPS = useHTTPS;
         this.bootDelay = bootDelay;
@@ -36,11 +52,12 @@
     }
 
     @Deprecated
-    public WindowsData(String password, boolean useHTTPS, String bootDelay, boolean specifyPassword) {
+    public WindowsData(String password, boolean useHTTPS, String bootDelay, boolean specifyPassword)
+            throws Descriptor.FormException {
         this(password, useHTTPS, bootDelay, specifyPassword, true);
     }
 
-    public WindowsData(String password, boolean useHTTPS, String bootDelay) {
+    public WindowsData(String password, boolean useHTTPS, String bootDelay) throws Descriptor.FormException {
         this(password, useHTTPS, bootDelay, false);
     }
 
@@ -95,6 +112,51 @@
         public String getDisplayName() {
             return "windows";
         }
+
+        @POST
+        @SuppressWarnings("unused")
+        public FormValidation doCheckPassword(@QueryParameter String password) {
+            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+                // for security reasons, do not perform any check if the user is not an admin
+                return FormValidation.ok();
+            }
+            try {
+                FIPS140Utils.ensurePasswordLength(password);
+            } catch (IllegalArgumentException ex) {
+                return FormValidation.error(ex, ex.getLocalizedMessage());
+            }
+            return FormValidation.ok();
+        }
+
+        @POST
+        @SuppressWarnings("unused")
+        public FormValidation doCheckUseHTTPS(@QueryParameter boolean useHTTPS, @QueryParameter String password) {
+            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+                // for security reasons, do not perform any check if the user is not an admin
+                return FormValidation.ok();
+            }
+            try {
+                FIPS140Utils.ensureNoPasswordLeak(useHTTPS, password);
+            } catch (IllegalArgumentException ex) {
+                return FormValidation.error(ex, ex.getLocalizedMessage());
+            }
+            return FormValidation.ok();
+        }
+
+        @POST
+        @SuppressWarnings("unused")
+        public FormValidation doCheckAllowSelfSignedCertificate(@QueryParameter boolean allowSelfSignedCertificate) {
+            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+                // for security reasons, do not perform any check if the user is not an admin
+                return FormValidation.ok();
+            }
+            try {
+                FIPS140Utils.ensureNoSelfSignedCertificate(allowSelfSignedCertificate);
+            } catch (IllegalArgumentException ex) {
+                return FormValidation.error(ex, ex.getLocalizedMessage());
+            }
+            return FormValidation.ok();
+        }
     }
 
     @Override

src/main/java/hudson/plugins/ec2/ssh/verifiers/HostKey.java

@@ -27,6 +27,7 @@
 package hudson.plugins.ec2.ssh.verifiers;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.plugins.ec2.util.FIPS140Utils;
 import java.io.Serializable;
 import java.util.Arrays;
 import org.apache.sshd.common.digest.BuiltinDigests;
@@ -48,6 +49,8 @@ public final class HostKey implements Serializable {
 
     public HostKey(@NonNull String algorithm, @NonNull byte[] key) {
         super();
+        FIPS140Utils.ensurePublicKeyInFipsMode(algorithm, key);
+
         this.algorithm = algorithm;
         this.key = key.clone();
     }

src/main/java/hudson/plugins/ec2/util/FIPS140Utils.java

@@ -0,0 +1,177 @@
+package hudson.plugins.ec2.util;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.plugins.ec2.Messages;
+import java.io.IOException;
+import java.net.URL;
+import java.security.Key;
+import java.security.UnrecoverableKeyException;
+import java.security.interfaces.DSAKey;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.RSAKey;
+import jenkins.bouncycastle.api.PEMEncodable;
+import jenkins.security.FIPS140;
+import org.apache.commons.lang.StringUtils;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.params.DSAPublicKeyParameters;
+import org.bouncycastle.crypto.params.ECPublicKeyParameters;
+import org.bouncycastle.crypto.params.RSAKeyParameters;
+import org.bouncycastle.crypto.util.OpenSSHPublicKeyUtil;
+
+/**
+ * FIPS related utility methods (check Private and Public keys, ...)
+ */
+public class FIPS140Utils {
+
+    /**
+     * Checks if the key is allowed when FIPS mode is requested.
+     * Allowed key with the following algorithms and sizes:
+     * <ul>
+     *     <li>DSA with key size >= 2048</li>
+     *     <li>RSA with key size >= 2048</li>
+     *     <li>Elliptic curve (ED25519) with field size >= 224</li>
+     * </ul>
+     * If the key is valid and allowed or not in FIPS mode method will just exit.
+     * If not it will throw an {@link IllegalArgumentException}.
+     * @param key The key to check.
+     */
+    public static void ensureKeyInFipsMode(Key key) {
+        if (!FIPS140.useCompliantAlgorithms()) {
+            return;
+        }
+        if (key instanceof RSAKey) {
+            if (((RSAKey) key).getModulus().bitLength() < 2048) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_invalidKeySizeInFIPSMode());
+            }
+        } else if (key instanceof DSAKey) {
+            if (((DSAKey) key).getParams().getP().bitLength() < 2048) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_invalidKeySizeInFIPSMode());
+            }
+        } else if (key instanceof ECKey) {
+            if (((ECKey) key).getParams().getCurve().getField().getFieldSize() < 224) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_invalidKeySizeECInFIPSMode());
+            }
+        } else {
+            throw new IllegalArgumentException(Messages.EC2Cloud_keyIsNotApprovedInFIPSMode(key.getAlgorithm()));
+        }
+    }
+
+    /**
+     * Password leak prevention when FIPS mode is requested. If FIPS mode is not requested, this method does nothing.
+     * Otherwise, ensure that no password can be leaked
+     * @param url the requested URL
+     * @param password the password used
+     * @throws IllegalArgumentException if there is a risk that the password will leak
+     */
+    public static void ensureNoPasswordLeak(URL url, String password) {
+        ensureNoPasswordLeak("https".equals(url.getProtocol()), password);
+    }
+
+    /**
+     * Password leak prevention when FIPS mode is requested. If FIPS mode is not requested, this method does nothing.
+     * Otherwise, ensure that no password can be leaked.
+     * @param useHTTPS is TLS used or not
+     * @param password the password used
+     * @throws IllegalArgumentException if there is a risk that the password will leak
+     */
+    public static void ensureNoPasswordLeak(boolean useHTTPS, String password) {
+        ensureNoPasswordLeak(useHTTPS, !StringUtils.isEmpty(password));
+    }
+
+    /**
+     * Password leak prevention when FIPS mode is requested. If FIPS mode is not requested, this method does nothing.
+     * Otherwise, ensure that no password can be leaked.
+     * @param useHTTPS is TLS used or not
+     * @param usePassword is a password used
+     * @throws IllegalArgumentException if there is a risk that the password will leak
+     */
+    public static void ensureNoPasswordLeak(boolean useHTTPS, boolean usePassword) {
+        if (FIPS140.useCompliantAlgorithms()) {
+            if (!useHTTPS && usePassword) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_tlsIsRequiredInFIPSMode());
+            }
+        }
+    }
+
+    /**
+     * Password length check chen FIPS mode is requested. If FIPS mode is not requested, this method does nothing.
+     * Otherwise, ensure that the password length is at least 14 char long.
+     * @param password the password to check
+     * @throws IllegalArgumentException if FIPS mode is requested and the password is too short
+     */
+    public static void ensurePasswordLength(String password) {
+        if (FIPS140.useCompliantAlgorithms()) {
+            if (StringUtils.isBlank(password) || password.length() < 14) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_passwordLengthInFIPSMode());
+            }
+        }
+    }
+
+    /**
+     * Password leak prevention when FIPS mode is requested. If FIPS mode is not requested, this method does nothing.
+     * Otherwise, ensure that no password can be leaked.
+     * @param allowSelfSignedCertificate is self-signed certificate allowed
+     * @throws IllegalArgumentException if FIPS mode is requested and a self-signed certificate is allowed
+     */
+    public static void ensureNoSelfSignedCertificate(boolean allowSelfSignedCertificate) {
+        if (FIPS140.useCompliantAlgorithms()) {
+            if (allowSelfSignedCertificate) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_selfSignedCertificateNotAllowedInFIPSMode());
+            }
+        }
+    }
+
+    /**
+     * Checks if the private key is allowed when FIPS mode is requested.
+     * Allowed private key with the following algorithms and sizes:
+     * <ul>
+     *     <li>DSA with key size >= 2048</li>
+     *     <li>RSA with key size >= 2048</li>
+     *     <li>Elliptic curve (ED25519) with field size >= 224</li>
+     * </ul>
+     * If the private key is valid and allowed or not in FIPS mode method will just exit.
+     * If not it will throw an {@link IllegalArgumentException}.
+     * @param privateKeyString String containing the private key PEM.
+     */
+    public static void ensurePrivateKeyInFipsMode(String privateKeyString) {
+        if (!FIPS140.useCompliantAlgorithms()) {
+            return;
+        }
+        if (StringUtils.isBlank(privateKeyString)) {
+            throw new IllegalArgumentException(Messages.EC2Cloud_keyIsMandatoryInFIPSMode());
+        }
+        try {
+            Key privateKey = PEMEncodable.decode(privateKeyString).toPrivateKey();
+            ensureKeyInFipsMode(privateKey);
+        } catch (RuntimeException | UnrecoverableKeyException | IOException e) {
+            throw new IllegalArgumentException(e.getMessage(), e);
+        }
+    }
+
+    public static void ensurePublicKeyInFipsMode(@NonNull String algorithm, @NonNull byte[] key) {
+        if (!FIPS140.useCompliantAlgorithms()) {
+            return;
+        }
+
+        AsymmetricKeyParameter asymmetricKeyParameter = OpenSSHPublicKeyUtil.parsePublicKey(key);
+
+        if (asymmetricKeyParameter instanceof RSAKeyParameters) {
+            RSAKeyParameters rsaKeyParameters = (RSAKeyParameters) asymmetricKeyParameter;
+            if (rsaKeyParameters.getModulus().bitLength() < 2048) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_invalidKeySizeInFIPSMode());
+            }
+        } else if (asymmetricKeyParameter instanceof DSAPublicKeyParameters) {
+            DSAPublicKeyParameters dsaPublicKeyParameters = (DSAPublicKeyParameters) asymmetricKeyParameter;
+            if (dsaPublicKeyParameters.getParameters().getP().bitLength() < 2048) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_invalidKeySizeInFIPSMode());
+            }
+        } else if (asymmetricKeyParameter instanceof ECPublicKeyParameters) {
+            ECPublicKeyParameters ecPublicKeyParameters = (ECPublicKeyParameters) asymmetricKeyParameter;
+            if (ecPublicKeyParameters.getParameters().getCurve().getFieldSize() < 224) {
+                throw new IllegalArgumentException(Messages.EC2Cloud_invalidKeySizeECInFIPSMode());
+            }
+        } else {
+            throw new IllegalArgumentException(Messages.EC2Cloud_keyIsNotApprovedInFIPSMode(algorithm));
+        }
+    }
+}