Customize Secure-config plugin

[Xut]

Hi,

I was able to setup the secure-config[1] plugin grabbing the last stable jar [2] (I'm using Gerrit 3.8.1) and is working correctly with the default values.

[gerrit]
  secureStoreClass = com.googlesource.gerrit.plugins.secureconfig.SecureConfigStore

[secureConfig]
  passwordDevice = /path/to/passphrase
  passwordLength = 32


Since then, I've been trying to change the encryption algorithm via secureConfig.cipher with all combinations I could but I was always getting a 
no such algorithm: "XXX" for provider SunJCE

I know some algorithms require Bouncy Castle whose .jar file I understood I had to download to $GERRIT_SITE/lib but couldn't make it work.

I know it's kind of a wide question but , can someone point me to where I could see a working sample of using a different algorithm?

Thank you

[1] https://gerrit.googlesource.com/plugins/secure-config/
[2] https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-stable-3.8/lastStableBuild/artifact/bazel-bin/plugins/oauth/oauth.jar

[Luca Milanesio]

Hi Xut (apologies if that is not your real name),

On 26 Sep 2023, at 08:10, Xut <awoi...@gmail.com> wrote:

Hi,

I was able to setup the secure-config[1] plugin grabbing the last stable jar [2] (I'm using Gerrit 3.8.1) and is working correctly with the default values.

Good stuff !

[gerrit]
  secureStoreClass = com.googlesource.gerrit.plugins.secureconfig.SecureConfigStore

[secureConfig]
  passwordDevice = /path/to/passphrase
  passwordLength = 32


Since then, I've been trying to change the encryption algorithm via secureConfig.cipher with all combinations I could but I was always getting a 
no such algorithm: "XXX" for provider SunJCE

You need to chose an algorithm that is supported by the SunJCE, or alternatively you can set a different security provider.

See the config docs at [3].

I know some algorithms require Bouncy Castle whose .jar file I understood I had to download to $GERRIT_SITE/lib but couldn't make it work.

Well, you need then to set BouncyCastle as security provider, because the SunJCE won’t support them.

See the BouncyCastle documentation at [4].

I know it's kind of a wide question but , can someone point me to where I could see a working sample of using a different algorithm?

Well, you already have a working configuration. With regards to the different algorithm, you can chose any of those supported by BouncyClastle or SunJCE, bearing in mind that all need to be a password-based encryption.

If you want to use the BouncyCastle provider you need to use the “BC” provider on [3], and then chose any supported algorithms from [5].

HTH

Thank you

[1] https://gerrit.googlesource.com/plugins/secure-config/
[2] https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-stable-3.8/lastStableBuild/artifact/bazel-bin/plugins/oauth/oauth.jar

NOTE: ^^^^^^^^^^ How is OAuth plugin related to this problem?

[3] https://gerrit.googlesource.com/plugins/secure-config/#secureconfig_jceprovider

[4] https://www.bouncycastle.org/java.html

[5] https://www.bouncycastle.org/specifications.html

Luca.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/1a19bd72-f433-4ffe-82c0-dd9197f18159n%40googlegroups.com.

[Javier]

Thank you Luca

          You need to chose an algorithm that is supported by the SunJCE, or alternatively you can set a different security provider.

          See the config docs at [3].

I am able now to change the algorithm using the JCE provider by simply adding the corresponding entry:
[secureConfig] 
  cipher = PBEWithSHA1AndDESede

  passwordDevice = /path/to/passphrase
  passwordLength = 32

 I tried the same in the past and I couldn't make it work so most likely I missed something. 

I've been trying to use a stronger algorithm with BC by downloading it to my corresponding lib directory
curl -o /var/gerrit/lib/bcprov-jdk18-176.jar https://www.bouncycastle.org/download/bcprov-jdk18on-176.jar

And adapting gerrit.config
[secureConfig] 
  jceProvider= BC
  cipher = PBEWithMD2AndDES

but I keep getting the next:
fatal: 1) [Guice/ErrorInjectingConstructor]: NullPointerException
fatal:   at InitContainer.<init>(InitContainer.java:44)
fatal:   at InitContainer.class(InitContainer.java:44)
fatal:   while locating InitContainer
fatal:   while locating InitStep annotated with @UniqueAnnotations$Internal(value=10)
fatal:
fatal: Learn more:
fatal:   https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR
fatal: Caused by: NullPointerException
fatal: at java.base/Security.insertProviderAt(Security.java:363)
fatal: at java.base/Security.addProvider(Security.java:408)
fatal: at PBECodec.<init>(PBECodec.java:49)

I tried again adding the next setup just in case (not sure this would actually be required) but didn't make any difference
// gerrit.config
[container]
javaOptions = -Djava.security.properties=/var/gerrit/etc/bouncycastle.security

// /var/gerrit/etc/bouncycastle.security
security.provider.11=org.bouncycastle.jce.provider.BouncyCastleProvider

I think this might be more a Java issue than Gerrit itself though but I'm not really familiar with it.

          NOTE: ^^^^^^^^^^ How is OAuth plugin related to this problem?

My bad, I meant:
https://gerrit-ci.gerritforge.com/job/plugin-secure-config-bazel-master/lastStableBuild/artifact/bazel-bin/plugins/secure-config/secure-config.jar


I am afraid I might be asking far too many 'generic' newbie questions but allow me one more about where would be a good location to set the file with the passphrase.

Thank you