Allow server.ssl properties to mix PEM and JKS certificate types

scottfrederick · scottfrederick · commit 47b1c41dac43 · 2024-01-16T16:26:28.000-06:00
Prior to the introduction of SSL bundles, the `server.ssl` properties allowed PEM and JKS certificate files types to be mixed when configuring keystores and truststores. This was lost when adapting to SSL bundles using `WebServerSslBundle`. This commit restores the previous behavior for back compatibility. Fixes gh-39105
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/WebServerSslBundle.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/WebServerSslBundle.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -68,12 +68,28 @@ private static SslStoreBundle createPemStoreBundle(Ssl ssl) {
 		return new PemSslStoreBundle(keyStoreDetails, trustStoreDetails, ssl.getKeyAlias());
 	}
 
-	private static SslStoreBundle createJksStoreBundle(Ssl ssl) {
+	private static SslStoreBundle createPemKeyStoreBundle(Ssl ssl) {
+		PemSslStoreDetails keyStoreDetails = new PemSslStoreDetails(ssl.getKeyStoreType(), ssl.getCertificate(),
+				ssl.getCertificatePrivateKey());
+		return new PemSslStoreBundle(keyStoreDetails, null, ssl.getKeyAlias());
+	}
+
+	private static SslStoreBundle createPemTrustStoreBundle(Ssl ssl) {
+		PemSslStoreDetails trustStoreDetails = new PemSslStoreDetails(ssl.getTrustStoreType(),
+				ssl.getTrustCertificate(), ssl.getTrustCertificatePrivateKey());
+		return new PemSslStoreBundle(null, trustStoreDetails, ssl.getKeyAlias());
+	}
+
+	private static SslStoreBundle createJksKeyStoreBundle(Ssl ssl) {
 		JksSslStoreDetails keyStoreDetails = new JksSslStoreDetails(ssl.getKeyStoreType(), ssl.getKeyStoreProvider(),
 				ssl.getKeyStore(), ssl.getKeyStorePassword());
+		return new JksSslStoreBundle(keyStoreDetails, null);
+	}
+
+	private static SslStoreBundle createJksTrustStoreBundle(Ssl ssl) {
 		JksSslStoreDetails trustStoreDetails = new JksSslStoreDetails(ssl.getTrustStoreType(),
 				ssl.getTrustStoreProvider(), ssl.getTrustStore(), ssl.getTrustStorePassword());
-		return new JksSslStoreBundle(keyStoreDetails, trustStoreDetails);
+		return new JksSslStoreBundle(null, trustStoreDetails);
 	}
 
 	@Override
@@ -156,30 +172,55 @@ public static SslBundle get(Ssl ssl, SslBundles sslBundles, SslStoreProvider ssl
 	}
 
 	private static SslStoreBundle createStoreBundle(Ssl ssl) {
-		if (hasCertificateProperties(ssl)) {
-			return createPemStoreBundle(ssl);
+		KeyStore keyStore = createKeyStore(ssl);
+		KeyStore trustStore = createTrustStore(ssl);
+		return new WebServerSslStoreBundle(keyStore, trustStore, ssl.getKeyStorePassword());
+	}
+
+	private static KeyStore createKeyStore(Ssl ssl) {
+		if (hasPemKeyStoreProperties(ssl)) {
+			return createPemKeyStoreBundle(ssl).getKeyStore();
+		}
+		else if (hasJksKeyStoreProperties(ssl)) {
+			return createJksKeyStoreBundle(ssl).getKeyStore();
+		}
+		return null;
+	}
+
+	private static KeyStore createTrustStore(Ssl ssl) {
+		if (hasPemTrustStoreProperties(ssl)) {
+			return createPemTrustStoreBundle(ssl).getTrustStore();
 		}
-		if (hasJavaKeyStoreProperties(ssl)) {
-			return createJksStoreBundle(ssl);
+		else if (hasJksTrustStoreProperties(ssl)) {
+			return createJksTrustStoreBundle(ssl).getTrustStore();
 		}
-		throw new IllegalStateException("SSL is enabled but no trust material is configured");
+		return null;
 	}
 
 	static SslBundle createCertificateFileSslStoreProviderDelegate(Ssl ssl) {
-		if (!hasCertificateProperties(ssl)) {
+		if (!hasPemKeyStoreProperties(ssl)) {
 			return null;
 		}
 		SslStoreBundle stores = createPemStoreBundle(ssl);
 		return new WebServerSslBundle(stores, ssl.getKeyPassword(), ssl);
 	}
 
-	private static boolean hasCertificateProperties(Ssl ssl) {
+	private static boolean hasPemKeyStoreProperties(Ssl ssl) {
 		return Ssl.isEnabled(ssl) && ssl.getCertificate() != null && ssl.getCertificatePrivateKey() != null;
 	}
 
-	private static boolean hasJavaKeyStoreProperties(Ssl ssl) {
-		return Ssl.isEnabled(ssl) && ssl.getKeyStore() != null
-				|| (ssl.getKeyStoreType() != null && ssl.getKeyStoreType().equals("PKCS11"));
+	private static boolean hasPemTrustStoreProperties(Ssl ssl) {
+		return Ssl.isEnabled(ssl) && ssl.getTrustCertificate() != null;
+	}
+
+	private static boolean hasJksKeyStoreProperties(Ssl ssl) {
+		return Ssl.isEnabled(ssl) && (ssl.getKeyStore() != null
+				|| (ssl.getKeyStoreType() != null && ssl.getKeyStoreType().equals("PKCS11")));
+	}
+
+	private static boolean hasJksTrustStoreProperties(Ssl ssl) {
+		return Ssl.isEnabled(ssl) && (ssl.getTrustStore() != null
+				|| (ssl.getTrustStoreType() != null && ssl.getTrustStoreType().equals("PKCS11")));
 	}
 
 	/**
@@ -211,4 +252,36 @@ public KeyStore getTrustStore() {
 
 	}
 
+	private static final class WebServerSslStoreBundle implements SslStoreBundle {
+
+		private final KeyStore keyStore;
+
+		private final KeyStore trustStore;
+
+		private final String keyStorePassword;
+
+		private WebServerSslStoreBundle(KeyStore keyStore, KeyStore trustStore, String keyStorePassword) {
+			Assert.state(keyStore != null || trustStore != null, "SSL is enabled but no trust material is configured");
+			this.keyStore = keyStore;
+			this.trustStore = trustStore;
+			this.keyStorePassword = keyStorePassword;
+		}
+
+		@Override
+		public KeyStore getKeyStore() {
+			return this.keyStore;
+		}
+
+		@Override
+		public KeyStore getTrustStore() {
+			return this.trustStore;
+		}
+
+		@Override
+		public String getKeyStorePassword() {
+			return this.keyStorePassword;
+		}
+
+	}
+
 }
diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/server/WebServerSslBundleTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/server/WebServerSslBundleTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -95,6 +95,25 @@ void whenFromJksPropertiesWithPkcs11StoreType() {
 			.withMessageContaining("must be empty or null for PKCS11 hardware key stores");
 	}
 
+	@Test
+	void whenFromPkcs11Properties() {
+		Ssl ssl = new Ssl();
+		ssl.setKeyStoreType("PKCS11");
+		ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
+		ssl.setTrustStoreType("PKCS11");
+		ssl.setTrustStoreProvider(MockPkcs11SecurityProvider.NAME);
+		ssl.setKeyPassword("password");
+		ssl.setClientAuth(Ssl.ClientAuth.NONE);
+		SslBundle bundle = WebServerSslBundle.get(ssl);
+		assertThat(bundle).isNotNull();
+		assertThat(bundle.getProtocol()).isEqualTo("TLS");
+		SslBundleKey key = bundle.getKey();
+		assertThat(key.getPassword()).isEqualTo("password");
+		SslStoreBundle stores = bundle.getStores();
+		assertThat(stores.getKeyStore()).isNotNull();
+		assertThat(stores.getTrustStore()).isNotNull();
+	}
+
 	@Test
 	void whenFromPemProperties() {
 		Ssl ssl = new Ssl();
@@ -122,6 +141,61 @@ void whenFromPemProperties() {
 		assertThat(options.getEnabledProtocols()).containsExactly("TLSv1.1", "TLSv1.2");
 	}
 
+	@Test
+	void whenPemKeyStoreAndJksTrustStoreProperties() {
+		Ssl ssl = new Ssl();
+		ssl.setCertificate("classpath:test-cert.pem");
+		ssl.setCertificatePrivateKey("classpath:test-key.pem");
+		ssl.setKeyStoreType("PKCS12");
+		ssl.setKeyPassword("password");
+		ssl.setTrustStore("classpath:test.p12");
+		ssl.setTrustStorePassword("secret");
+		ssl.setTrustStoreType("PKCS12");
+		ssl.setClientAuth(Ssl.ClientAuth.NONE);
+		ssl.setCiphers(new String[] { "ONE", "TWO", "THREE" });
+		ssl.setEnabledProtocols(new String[] { "TLSv1.1", "TLSv1.2" });
+		ssl.setProtocol("TLSv1.1");
+		SslBundle bundle = WebServerSslBundle.get(ssl);
+		assertThat(bundle).isNotNull();
+		SslBundleKey key = bundle.getKey();
+		assertThat(key.getAlias()).isNull();
+		assertThat(key.getPassword()).isEqualTo("password");
+		SslStoreBundle stores = bundle.getStores();
+		assertThat(stores.getKeyStorePassword()).isNull();
+		assertThat(stores.getKeyStore()).isNotNull();
+		assertThat(stores.getTrustStore()).isNotNull();
+		SslOptions options = bundle.getOptions();
+		assertThat(options.getCiphers()).containsExactly("ONE", "TWO", "THREE");
+		assertThat(options.getEnabledProtocols()).containsExactly("TLSv1.1", "TLSv1.2");
+	}
+
+	@Test
+	void whenJksKeyStoreAndPemTrustStoreProperties() {
+		Ssl ssl = new Ssl();
+		ssl.setKeyStore("classpath:test.p12");
+		ssl.setKeyStoreType("PKCS12");
+		ssl.setKeyPassword("password");
+		ssl.setTrustCertificate("classpath:test-cert-chain.pem");
+		ssl.setTrustStorePassword("secret");
+		ssl.setTrustStoreType("PKCS12");
+		ssl.setClientAuth(Ssl.ClientAuth.NONE);
+		ssl.setCiphers(new String[] { "ONE", "TWO", "THREE" });
+		ssl.setEnabledProtocols(new String[] { "TLSv1.1", "TLSv1.2" });
+		ssl.setProtocol("TLSv1.1");
+		SslBundle bundle = WebServerSslBundle.get(ssl);
+		assertThat(bundle).isNotNull();
+		SslBundleKey key = bundle.getKey();
+		assertThat(key.getAlias()).isNull();
+		assertThat(key.getPassword()).isEqualTo("password");
+		SslStoreBundle stores = bundle.getStores();
+		assertThat(stores.getKeyStorePassword()).isNull();
+		assertThat(stores.getKeyStore()).isNotNull();
+		assertThat(stores.getTrustStore()).isNotNull();
+		SslOptions options = bundle.getOptions();
+		assertThat(options.getCiphers()).containsExactly("ONE", "TWO", "THREE");
+		assertThat(options.getEnabledProtocols()).containsExactly("TLSv1.1", "TLSv1.2");
+	}
+
 	@Test
 	@Deprecated(since = "3.1.0", forRemoval = true)
 	@SuppressWarnings("removal")
