[JENKINS-75676] Client certificate credentials not handled properly

Fix using a library that allow to hotswap client certificates for an existing SSLContext.

Author: nfalco79

pom.xml

@@ -27,8 +27,8 @@
         <revision>936.4.3</revision>
         <changelist>-SNAPSHOT</changelist>
         <gitHubRepo>jenkinsci/bitbucket-branch-source-plugin</gitHubRepo>
-        <jenkins.baseline>2.479</jenkins.baseline>
-        <jenkins.version>${jenkins.baseline}.3</jenkins.version>
+        <jenkins.baseline>2.504</jenkins.baseline>
+        <jenkins.version>${jenkins.baseline}.1</jenkins.version>
         <hpi.compatibleSinceVersion>936.0.0</hpi.compatibleSinceVersion>
         <!-- Jenkins.MANAGE is still in Beta -->
         <useBeta>true</useBeta>
@@ -81,6 +81,17 @@
             <groupId>io.jenkins.plugins</groupId>
             <artifactId>apache-httpcomponents-client-5-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>sslcontext-kickstart-for-apache5</artifactId>
+            <version>9.1.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>io.jenkins.plugins</groupId>
             <artifactId>commons-lang3-api</artifactId>

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/impl/credentials/BitbucketClientCertificateAuthenticator.java

@@ -25,25 +25,34 @@
 package com.cloudbees.jenkins.plugins.bitbucket.impl.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
-import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketException;
-import com.cloudbees.jenkins.plugins.bitbucket.impl.client.BitbucketTlsSocketStrategy;
 import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
 import hudson.util.Secret;
-import java.security.KeyManagementException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.UnrecoverableKeyException;
-import javax.net.ssl.SSLContext;
-import org.apache.hc.client5.http.protocol.HttpClientContext;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.logging.Logger;
+import javax.net.ssl.X509ExtendedKeyManager;
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.keymanager.AggregatedX509ExtendedKeyManager;
+import nl.altindag.ssl.keymanager.DummyX509ExtendedKeyManager;
+import nl.altindag.ssl.keymanager.HotSwappableX509ExtendedKeyManager;
+import nl.altindag.ssl.keymanager.LoggingX509ExtendedKeyManager;
+import nl.altindag.ssl.keymanager.X509KeyManagerWrapper;
+import nl.altindag.ssl.util.KeyManagerUtils;
+import nl.altindag.ssl.util.KeyStoreUtils;
 import org.apache.hc.core5.http.HttpHost;
-import org.apache.hc.core5.ssl.SSLContextBuilder;
-import org.apache.hc.core5.ssl.SSLContexts;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * Authenticates against Bitbucket using a TLS client certificate
  */
 public class BitbucketClientCertificateAuthenticator implements BitbucketAuthenticator {
+    private static final Logger logger = Logger.getLogger(BitbucketClientCertificateAuthenticator.class.getName());
+
     private final String credentialsId;
     private final KeyStore keyStore;
     private final Secret password;
@@ -55,23 +64,64 @@ public BitbucketClientCertificateAuthenticator(StandardCertificateCredentials cr
     }
 
     /**
-     * Sets the SSLContext for the builder to one that will connect with the selected certificate.
-     * @param context The client builder context
+     * Sets the SSLContext for the builder to one that will connect with the
+     * selected certificate.
+     *
+     * @param sslFactory The client SSL context configured in the connection
+     *        pool
      * @param host the target host name
      */
-    @Override
-    public void configureContext(HttpClientContext context, HttpHost host) {
-        try {
-            context.setAttribute(BitbucketTlsSocketStrategy.SOCKET_FACTORY_REGISTRY, buildSSLContext()); // override SSL registry for this context
-        } catch (NoSuchAlgorithmException | UnrecoverableKeyException | KeyStoreException | KeyManagementException e) {
-            throw new BitbucketException("Failed to set up SSL context from provided client certificate", e);
-        }
+    @Restricted(NoExternalUse.class)
+    public synchronized /*required to avoid combine the same identity material twice */ void configureContext(SSLFactory sslFactory, HttpHost host) {
+        sslFactory.getKeyManager().ifPresent(baseKeyManager -> {
+            List<X509ExtendedKeyManager> keyManagers = new ArrayList<>();
+
+            AggregatedX509ExtendedKeyManager aggregate = unwrap(baseKeyManager);
+            Map<String, List<URI>> routes = aggregate.getIdentityRoute();
+
+            for (String alias : KeyStoreUtils.getAliases(keyStore)) {
+                // check if given route has been already added to the SSL context
+                if (!routes.containsKey(alias)) {
+                    try {
+                        URI hostURI = new URI(host.toURI());
+                        routes.put(alias, new ArrayList<>(List.of(hostURI)));
+                    } catch (URISyntaxException e) {
+                        logger.severe("Invalid host " + host);
+                    }
+                    keyManagers.add(KeyManagerUtils.createKeyManager(keyStore, Secret.toString(password).toCharArray()));
+                    logger.info(() -> "Add new identity material (keyStore) " + alias + " to the SSLContext.");
+                }
+            }
+
+            if (!keyManagers.isEmpty()) {
+                // create an aggregate keyManager with new identity material plus existing contributed
+                // from other configured client certificate client
+                X509ExtendedKeyManager combined = KeyManagerUtils.keyManagerBuilder()
+                        .withKeyManagers(aggregate.getInnerKeyManagers())
+                        .withKeyManagers(keyManagers)
+                        .withIdentityRoute(routes)
+                        .build();
+                // swap identity materials and reuse existing http client
+                KeyManagerUtils.swapKeyManager(baseKeyManager, combined);
+            }
+        });
     }
 
-    private SSLContext buildSSLContext() throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException, KeyManagementException {
-        SSLContextBuilder contextBuilder = SSLContexts.custom();
-        contextBuilder.loadKeyMaterial(keyStore, Secret.toString(password).toCharArray());
-        return contextBuilder.build();
+
+    private AggregatedX509ExtendedKeyManager unwrap(X509ExtendedKeyManager keyManager) {
+        if (keyManager instanceof AggregatedX509ExtendedKeyManager aggregate) {
+            return aggregate;
+        } else if (keyManager instanceof HotSwappableX509ExtendedKeyManager swappable) {
+            return unwrap(swappable.getInnerKeyManager());
+        } else if (keyManager instanceof LoggingX509ExtendedKeyManager logger) {
+            return unwrap(logger.getInnerKeyManager());
+        } else if (keyManager instanceof X509KeyManagerWrapper wrapper) {
+            return unwrap((X509ExtendedKeyManager) wrapper.getInnerKeyManager());
+        } else if (keyManager instanceof DummyX509ExtendedKeyManager) {
+            return new AggregatedX509ExtendedKeyManager(new ArrayList<>());
+        } else {
+            return new AggregatedX509ExtendedKeyManager(List.of(keyManager));
+        }
     }
 
     @Override

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/server/client/BitbucketServerAPIClient.java

@@ -88,11 +88,15 @@
 import jenkins.scm.api.SCMFile;
 import jenkins.scm.api.SCMFile.Type;
 import jenkins.scm.impl.avatars.AvatarImage;
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.SSLFactory.Builder;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.io.HttpClientConnectionManager;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.HttpStatus;
 import org.apache.hc.core5.http.message.BasicNameValuePair;
@@ -140,10 +144,24 @@ public class BitbucketServerAPIClient extends AbstractBitbucketApi implements Bi
     private static final String API_MIRRORS_PATH = "/rest/mirroring/1.0/mirrorServers";
     private static final Integer DEFAULT_PAGE_LIMIT = 200;
 
+    private static Builder sslFactoryBuilder() {
+        Builder builder = SSLFactory.builder()
+                .withSystemTrustMaterial()
+                .withDefaultTrustMaterial()
+                // TODO remove .withTrustMaterial(Paths.get("D:\\Download\\JENKINS-75676\\jenkins\\trustStore.jks"), "JENKINS-75676".toCharArray())
+                .withDummyIdentityMaterial()
+                .withSwappableIdentityMaterial();
+        if (System.getProperty("javax.net.ssl.trustStore") != null) {
+            builder.withSystemPropertyDerivedTrustMaterial();
+        }
+        return builder;
+    }
+
+    private static final SSLFactory sslFactory = sslFactoryBuilder().build();
     private static final HttpClientConnectionManager connectionManager = connectionManagerBuilder()
-            .setMaxConnPerRoute(20)
-            .setMaxConnTotal(40 /* should be 20 * number of server instances */)
-            .setTlsSocketStrategy(new BitbucketTlsSocketStrategy())
+            .setMaxConnPerRoute(1) // FIXME restore to 20
+            .setMaxConnTotal(1 /* should be 20 * number of server instances */) // FIXME restore to 40
+            .setTlsSocketStrategy(new DefaultClientTlsStrategy(sslFactory.getSslContext()))
             .build();
 
     /**
@@ -162,6 +180,7 @@ public class BitbucketServerAPIClient extends AbstractBitbucketApi implements Bi
     private final BitbucketServerWebhookImplementation webhookImplementation;
     private final CloseableHttpClient client;
 
+
     public BitbucketServerAPIClient(@NonNull String baseURL, @NonNull String owner, @CheckForNull String repositoryName,
                                     @CheckForNull BitbucketAuthenticator authenticator, boolean userCentric) {
         this(baseURL, owner, repositoryName, authenticator, userCentric, BitbucketServerEndpoint.findWebhookImplementation(baseURL));
@@ -182,6 +201,14 @@ public BitbucketServerAPIClient(@NonNull String baseURL, @NonNull String owner,
         this.client = setupClientBuilder().build();
     }
 
+    @Override
+    protected HttpClientBuilder setupClientBuilder() {
+        if (getAuthenticator() instanceof BitbucketClientCertificateAuthenticator certificateAuthenticator) {
+            certificateAuthenticator.configureContext(sslFactory, getHost());
+        }
+        return super.setupClientBuilder();
+    }
+
     @Override
     protected boolean isSupportedAuthenticator(@CheckForNull BitbucketAuthenticator authenticator) {
         return authenticator == null