[JENKINS-36871] Address code review comments

0e353c72 · Stephen Connolly · 16b0aede · 0e353c72 · 0e353c72
2 changed file
--- a/core/src/main/java/jenkins/model/identity/IdentityRootAction.java
+++ b/core/src/main/java/jenkins/model/identity/IdentityRootAction.java
@@ -2,11 +2,12 @@ package jenkins.model.identity;

 import hudson.Extension;
 import hudson.model.UnprotectedRootAction;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
 import org.apache.commons.codec.Charsets;
 import org.apache.commons.codec.binary.Base64;
-import org.jenkinsci.remoting.util.KeyUtils;

 /**
 * A simple root action that exposes the public key to users so that they do not need to search for the
@@ -76,6 +77,25 @@ public class IdentityRootAction implements UnprotectedRootAction {
        InstanceIdentityProvider<RSAPublicKey, RSAPrivateKey> provider =
                InstanceIdentityProvider.get(RSAPrivateKey.class);
        RSAPublicKey key = provider == null ? null : provider.getPublicKey();
-        return key == null ? null : KeyUtils.fingerprint(key);
+        if (key == null) {
+            return null;
+        }
+        // TODO replace with org.jenkinsci.remoting.util.KeyUtils once JENKINS-36871 changes are merged
+        try {
+            MessageDigest digest = MessageDigest.getInstance("MD5");
+            digest.reset();
+            byte[] bytes = digest.digest(key.getEncoded());
+            StringBuilder result = new StringBuilder(Math.max(0, bytes.length * 3 - 1));
+            for (int i = 0; i < bytes.length; i++) {
+                if (i > 0) {
+                    result.append(':');
+                }
+                int b = bytes[i] & 0xFF;
+                result.append(Character.forDigit((b>>4)&0x0f, 16)).append(Character.forDigit(b&0xf, 16));
+            }
+            return result.toString();
+        } catch (NoSuchAlgorithmException e) {
+            throw new IllegalStateException("JLS mandates MD5 support");
+        }
    }
 }
--- a/core/src/main/java/jenkins/model/identity/InstanceIdentityProvider.java
+++ b/core/src/main/java/jenkins/model/identity/InstanceIdentityProvider.java
@@ -30,6 +30,7 @@ import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import javax.annotation.CheckForNull;
+import javax.annotation.Nullable;

 /**
 * A source of instance identity.
@@ -43,17 +44,21 @@ public abstract class InstanceIdentityProvider<PUB extends PublicKey, PRIV exten
    /**
     * Gets the {@link KeyPair} that comprises the instance identity.
     *
-     * @return the {@link KeyPair} that comprises the instance identity.
+     * @return the {@link KeyPair} that comprises the instance identity. {@code null} could technically be returned in
+     * the event that a keypair could not be generated, for example if the specific key type of this provider
+     * is not permitted at the required length by the JCA policy.
     */
-    @CheckForNull
+    @Nullable
    public abstract KeyPair getKeyPair();

    /**
     * Shortcut to {@link KeyPair#getPublic()}.
     *
-     * @return the public key.
+     * @return the public key. {@code null} could technically be returned in the event that a keypair could not be
+     * generated, for example if the specific key type of this provider is not permitted at the required length by
+     * the JCA policy.
     */
-    @CheckForNull
+    @Nullable
    public PUB getPublicKey() {
        KeyPair keyPair = getKeyPair();
        return keyPair == null ? null : (PUB) keyPair.getPublic();
@@ -62,21 +67,25 @@ public abstract class InstanceIdentityProvider<PUB extends PublicKey, PRIV exten
    /**
     * Shortcut to {@link KeyPair#getPrivate()}.
     *
-     * @return the private key.
+     * @return the private key. {@code null} could technically be returned in the event that a keypair could not be
+     * generated, for example if the specific key type of this provider is not permitted at the required length by
+     * the JCA policy.
     */
-    @CheckForNull
+    @Nullable
    public PRIV getPrivateKey() {
        KeyPair keyPair = getKeyPair();
-        return keyPair == null ? null : (PRIV) keyPair.getPublic();
+        return keyPair == null ? null : (PRIV) keyPair.getPrivate();
    }

    /**
     * Gets the self-signed {@link X509Certificate} that is associated with this identity. The certificate
     * will must be currently valid. Repeated calls to this method may result in new certificates being generated.
     *
-     * @return the certificate.
+     * @return the certificate. {@code null} could technically be returned in the event that a keypair could not be
+     * generated, for example if the specific key type of this provider is not permitted at the required length by
+     * the JCA policy.
     */
-    @CheckForNull
+    @Nullable
    public abstract X509Certificate getCertificate();

    /**