[JIRA] [update-sites-manager-plugin] (JENKINS-32376) Private certifacates doesn't work with server-based download (Jenkins >= 1.557)

17 views
Skip to first unread message

devld@ikedam.jp (JIRA)

unread,
Jan 9, 2016, 7:49:02 PM1/9/16
to jenkinsc...@googlegroups.com
ikedam created an issue
 
Jenkins / Bug JENKINS-32376
Private certifacates doesn't work with server-based download (Jenkins >= 1.557)
Issue Type: Bug Bug
Assignee: ikedam
Components: update-sites-manager-plugin
Created: 10/Jan/16 12:48 AM
Environment: update-sites-manager 1.0.1
Jenkins >= 1.557 (affected depending on configurations)
Jenkins >= 1.600, 1.596.1 (affected by default)
Priority: Critical Critical
Reporter: ikedam
  • Jenkins 1.557 introduced server-based download of lists of plugins.
    • This feature is enabled when disable "Download Preferences > Use Browser" in the system configurqation.
  • This feature is enabled by default since Jenkins 1.600 and Jenkins 1.596.1.

Access to updater centers requiring private CA certificates fails with

Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default
Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
SEVERE: ERROR: Signature verification failed in update site &#039;ikedam-update-center&#039; <a href='#' class='showDetails'>(show details)
yle='display:none'>java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
        at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
        at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:92)
        at hudson.model.UpdateSite.verifySignature(UpdateSite.java:221)
        at hudson.model.UpdateSite.updateData(UpdateSite.java:200)
        at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)
        at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:824)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
        at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:46)
        at org.kohsuke.stapler.Function$InterceptedFunction.invoke(Function.java:399)
        at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
        at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
        at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:182)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
        at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
        at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
        at org.eclipse.jetty.server.Server.handle(Server.java:370)
        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
        at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
        at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

devld@ikedam.jp (JIRA)

unread,
Jan 9, 2016, 7:55:01 PM1/9/16
to jenkinsc...@googlegroups.com
ikedam updated an issue
Change By: ikedam
* Jenkins 1.557 introduced server-based download of lists of plugins.  ([1ac7775|https://github.com/jenkinsci/jenkins/commit/1ac77750e93f9a1970fecbecdf7f84279d0a62b9], [33d88c0|https://github.com/jenkinsci/jenkins/commit/33d88c015c7fc6c6cdb093d4a3d04a75aa85fa80], )
** This feature is enabled when disable "Download Preferences > Use Browser" in the system configurqation.
* This feature is enabled by default since Jenkins 1.600 and Jenkins 1.596.1.
 ([6b71fac|https://github.com/jenkinsci/jenkins/commit/6b71faccb95285fb15a72703b2c2e4efdc905512])

Access to updater centers requiring private CA certificates fails with
{noformat}
{noformat} 

dbeck@cloudbees.com (JIRA)

unread,
Jan 10, 2016, 12:46:01 PM1/10/16
to jenkinsc...@googlegroups.com
Daniel Beck commented on Bug JENKINS-32376
 
Re: Private certifacates doesn't work with server-based download (Jenkins >= 1.557)

To clarify, this also happens when specifying a certification with the custom update site?

devld@ikedam.jp (JIRA)

unread,
Jan 10, 2016, 10:34:02 PM1/10/16
to jenkinsc...@googlegroups.com

devld@ikedam.jp (JIRA)

unread,
Jan 10, 2016, 10:34:02 PM1/10/16
to jenkinsc...@googlegroups.com
ikedam commented on Bug JENKINS-32376

> To clarify, this also happens when specifying a certification with the custom update site?

Exactly.
The process injecting the specified certificate isn't performed in server-based download.
That process is implemented as wrapper of UpdateSite#doPostBack, which is for client-based download and not invoked for server-based download.

devld@ikedam.jp (JIRA)

unread,
Jan 10, 2016, 10:34:02 PM1/10/16
to jenkinsc...@googlegroups.com
ikedam started work on Bug JENKINS-32376
 
Change By: ikedam
Status: Open In Progress

scm_issue_link@java.net (JIRA)

unread,
Jan 15, 2016, 11:43:02 PM1/15/16
to jenkinsc...@googlegroups.com

Code changed in jenkins
User: ikedam
Path:
pom.xml
src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java
src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/DescribedUpdateSiteJenkinsTest.java
src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java
src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java
http://jenkins-ci.org/commit/update-sites-manager-plugin/d5d4f7ebd550bd015a35e224edcfea21f81417f0
Log:

JENKINS-32376 Changed the target to the least LTS 1.596.

scm_issue_link@java.net (JIRA)

unread,
Jan 15, 2016, 11:43:02 PM1/15/16
to jenkinsc...@googlegroups.com

Code changed in jenkins
User: ikedam
Path:

src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
http://jenkins-ci.org/commit/update-sites-manager-plugin/a4e9b85239b415f3a66776f7d8e93111c1aabec4
Log:

JENKINS-32376 Integration tests with client-based download and server-based download.

scm_issue_link@java.net (JIRA)

unread,
Jan 15, 2016, 11:43:02 PM1/15/16
to jenkinsc...@googlegroups.com

scm_issue_link@java.net (JIRA)

unread,
Jan 15, 2016, 11:43:02 PM1/15/16
to jenkinsc...@googlegroups.com

Code changed in jenkins
User: ikedam
Path:

pom.xml
src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSite.java
src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java
src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java
src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java
http://jenkins-ci.org/commit/update-sites-manager-plugin/45819d10f539ca6afe4cf51386efdab9db04ad25
Log:
Merge pull request #5 from ikedam/feature/JENKIS-32376_ServerBasedDownloading

[FIXED JENKINS-32376] Supports server-based downloading

Compare: https://github.com/jenkinsci/update-sites-manager-plugin/compare/b8bfa335c508...45819d10f539

scm_issue_link@java.net (JIRA)

unread,
Jan 15, 2016, 11:43:02 PM1/15/16
to jenkinsc...@googlegroups.com

Code changed in jenkins
User: ikedam
Path:
pom.xml

src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
http://jenkins-ci.org/commit/update-sites-manager-plugin/cf71b464e80372ff906e0d81d5113d6f4e4b2892
Log:

JENKINS-32376 Jenkins < 1.600 have a problem with the server-side download feature (Downloadable refers URLs without signatures) and cannot test the behavior. I decided to target 1.609.

devld@ikedam.jp (JIRA)

unread,
Feb 27, 2016, 9:46:04 PM2/27/16
to jenkinsc...@googlegroups.com
ikedam closed an issue as Fixed
 

Fixed in update-sites-manager-2.0.0.
It will be available in the update center in a day.

Change By: ikedam
Status: Resolved Closed
Reply all
Reply to author
Forward
0 new messages