Handle BC-FIPS related exception and propagate exception causes

jtnord · jtnord · commit e306e5379dd0 · 2024-07-05T15:26:58.000+01:00
When testing with BC-FIPS PEMEncodeable was failing in some unexpected
ways.

in the first if we could not convert due to a PKCSException or InvalidKeySpecException
then the cause was logged and a new exception without details was thrown.
This means the underlying cause is lost when using any exception in a
FormValidation.

In the second case when using a key that had too short of salt an
org.bouncycastle.crypto.fips.FipsUnapprovedOperationError was thrown
which being an error would ripple up and cause an unexpected error.

We now catch this error and wrap it in an UnrecoverableKeyException so
it can be handled by the caller
diff --git a/src/main/java/jenkins/bouncycastle/api/PEMEncodable.java b/src/main/java/jenkins/bouncycastle/api/PEMEncodable.java
@@ -50,7 +50,6 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
-import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import org.apache.commons.codec.binary.Hex;
@@ -245,13 +244,24 @@ private static final PEMEncodable convertedPemToPemDecodable(Object object, char
                                 + object.getClass().getName());
             }
         } catch (PKCSException | InvalidKeySpecException e) {
-            LOGGER.log(Level.WARNING, "Could not read PEM encrypted information", e);
-            throw new UnrecoverableKeyException();
+            UnrecoverableKeyException unrecoverableKeyEx = new UnrecoverableKeyException(e.getMessage());
+            unrecoverableKeyEx.initCause(e);
+            throw unrecoverableKeyEx;
         } catch (CertificateException e) {
             throw new IOException("Could not read certificate", e);
         } catch (NoSuchAlgorithmException e) {
-            throw new AssertionError(
-                    "RSA algorithm support is mandated by Java Language Specification. See https://docs.oracle.com/javase/7/docs/api/java/security/KeyFactory.html");
+            throw new IOException("Algorithm required for parsing is not implemented", e);
+        } catch (AssertionError e) {
+            // when using the FIPS BC variety org.bouncycastle.crypto.fips.FipsUnapprovedOperationError can be throw
+            // if the encoded object is not FIPS compliant.
+            // there are no known subclasses so just match on the classname.
+            if (e.getClass().getName().equals("org.bouncycastle.crypto.fips.FipsUnapprovedOperationError")) {
+                UnrecoverableKeyException unrecoverableKeyEx =
+                        new UnrecoverableKeyException("Provided Object is not FIPS 140 compliant");
+                unrecoverableKeyEx.initCause(e);
+                throw unrecoverableKeyEx;
+            }
+            throw e;
         }
     }
 
