Use Tomcat SSLHostConfig API for SSL configuration

Closes gh-30531
2022-04-04 14:37:16 -05:00 · 2022-04-04 14:37:16 -05:00 · 103c2bdd7d
parent 1c71567c94
commit 103c2bdd7d
3 changed files with 63 additions and 187 deletions
--- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -19,11 +19,12 @@ package org.springframework.boot.web.embedded.tomcat;
 import java.io.FileNotFoundException;
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory;
 import org.apache.coyote.ProtocolHandler;
 import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
 import org.apache.coyote.http11.Http11NioProtocol;
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
 import org.springframework.boot.web.server.Ssl;
 import org.springframework.boot.web.server.SslStoreProvider;
@ -36,6 +37,8 @@ import org.springframework.util.StringUtils;
 * {@link TomcatConnectorCustomizer} that configures SSL support on the given connector.
 *
 * @author Brian Clozel
 * @author Andy Wilkinson
 * @author Scott Frederick
 */
 class SslConnectorCustomizer implements TomcatConnectorCustomizer {
@ -67,56 +70,63 @@ class SslConnectorCustomizer implements TomcatConnectorCustomizer {
 	 */
 	protected void configureSsl(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl, SslStoreProvider sslStoreProvider) {
 		protocol.setSSLEnabled(true);
-		protocol.setSslProtocol(ssl.getProtocol());
+		SSLHostConfig sslHostConfig = new SSLHostConfig();
-		configureSslClientAuth(protocol, ssl);
+		sslHostConfig.setHostName(protocol.getDefaultSSLHostConfigName());
 		sslHostConfig.setSslProtocol(ssl.getProtocol());
 		protocol.addSslHostConfig(sslHostConfig);
 		configureSslClientAuth(sslHostConfig, ssl);
 		SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
 		if (ssl.getKeyStorePassword() != null) {
-			protocol.setKeystorePass(ssl.getKeyStorePassword());
+			certificate.setCertificateKeystorePassword(ssl.getKeyStorePassword());
 		}
 		if (ssl.getKeyPassword() != null) {
-			protocol.setKeyPass(ssl.getKeyPassword());
+			certificate.setCertificateKeyPassword(ssl.getKeyPassword());
 		}
-		protocol.setKeyAlias(ssl.getKeyAlias());
+		if (ssl.getKeyAlias() != null) {
 			certificate.setCertificateKeyAlias(ssl.getKeyAlias());
 		}
 		sslHostConfig.addCertificate(certificate);
 		String ciphers = StringUtils.arrayToCommaDelimitedString(ssl.getCiphers());
 		if (StringUtils.hasText(ciphers)) {
-			protocol.setCiphers(ciphers);
+			sslHostConfig.setCiphers(ciphers);
 		}
 		configureEnabledProtocols(protocol, ssl);
 		if (sslStoreProvider != null) {
 			configureSslStoreProvider(protocol, sslHostConfig, certificate, sslStoreProvider);
 		}
 		else {
 			configureSslKeyStore(certificate, ssl);
 			configureSslTrustStore(sslHostConfig, ssl);
 		}
 	}
 	private void configureEnabledProtocols(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
 		if (ssl.getEnabledProtocols() != null) {
 			for (SSLHostConfig sslHostConfig : protocol.findSslHostConfigs()) {
 				sslHostConfig.setProtocols(StringUtils.arrayToCommaDelimitedString(ssl.getEnabledProtocols()));
 			}
 		}
 		if (sslStoreProvider != null) {
 			configureSslStoreProvider(protocol, sslStoreProvider);
 		}
 		else {
 			configureSslKeyStore(protocol, ssl);
 			configureSslTrustStore(protocol, ssl);
 		}
 	}
-	private void configureSslClientAuth(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
+	private void configureSslClientAuth(SSLHostConfig config, Ssl ssl) {
 		if (ssl.getClientAuth() == Ssl.ClientAuth.NEED) {
-			protocol.setClientAuth(Boolean.TRUE.toString());
+			config.setCertificateVerification("required");
 		}
 		else if (ssl.getClientAuth() == Ssl.ClientAuth.WANT) {
-			protocol.setClientAuth("want");
+			config.setCertificateVerification("optional");
 		}
 	}
-	protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> protocol,
+	protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> protocol, SSLHostConfig sslHostConfig,
-			SslStoreProvider sslStoreProvider) {
+			SSLHostConfigCertificate certificate, SslStoreProvider sslStoreProvider) {
 		Assert.isInstanceOf(Http11NioProtocol.class, protocol,
 				"SslStoreProvider can only be used with Http11NioProtocol");
 		TomcatURLStreamHandlerFactory instance = TomcatURLStreamHandlerFactory.getInstance();
 		instance.addUserFactory(new SslStoreProviderUrlStreamHandlerFactory(sslStoreProvider));
 		try {
 			if (sslStoreProvider.getKeyStore() != null) {
-				protocol.setKeystorePass("");
+				certificate.setCertificateKeystore(sslStoreProvider.getKeyStore());
 				protocol.setKeystoreFile(SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL);
 			}
 			if (sslStoreProvider.getTrustStore() != null) {
-				protocol.setTruststorePass("");
+				sslHostConfig.setTrustStore(sslStoreProvider.getTrustStore());
 				protocol.setTruststoreFile(SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL);
 			}
 		}
 		catch (Exception ex) {
@ -124,38 +134,38 @@ class SslConnectorCustomizer implements TomcatConnectorCustomizer {
 		}
 	}
-	private void configureSslKeyStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
+	private void configureSslKeyStore(SSLHostConfigCertificate certificate, Ssl ssl) {
 		try {
-			protocol.setKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString());
+			certificate.setCertificateKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString());
 		}
 		catch (Exception ex) {
 			throw new WebServerException("Could not load key store '" + ssl.getKeyStore() + "'", ex);
 		}
 		if (ssl.getKeyStoreType() != null) {
-			protocol.setKeystoreType(ssl.getKeyStoreType());
+			certificate.setCertificateKeystoreType(ssl.getKeyStoreType());
 		}
 		if (ssl.getKeyStoreProvider() != null) {
-			protocol.setKeystoreProvider(ssl.getKeyStoreProvider());
+			certificate.setCertificateKeystoreProvider(ssl.getKeyStoreProvider());
 		}
 	}
-	private void configureSslTrustStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
+	private void configureSslTrustStore(SSLHostConfig sslHostConfig, Ssl ssl) {
 		if (ssl.getTrustStore() != null) {
 			try {
-				protocol.setTruststoreFile(ResourceUtils.getURL(ssl.getTrustStore()).toString());
+				sslHostConfig.setTruststoreFile(ResourceUtils.getURL(ssl.getTrustStore()).toString());
 			}
 			catch (FileNotFoundException ex) {
 				throw new WebServerException("Could not load trust store: " + ex.getMessage(), ex);
 			}
 		}
 		if (ssl.getTrustStorePassword() != null) {
-			protocol.setTruststorePass(ssl.getTrustStorePassword());
+			sslHostConfig.setTruststorePassword(ssl.getTrustStorePassword());
 		}
 		if (ssl.getTrustStoreType() != null) {
-			protocol.setTruststoreType(ssl.getTrustStoreType());
+			sslHostConfig.setTruststoreType(ssl.getTrustStoreType());
 		}
 		if (ssl.getTrustStoreProvider() != null) {
-			protocol.setTruststoreProvider(ssl.getTrustStoreProvider());
+			sslHostConfig.setTruststoreProvider(ssl.getTrustStoreProvider());
 		}
 	}
--- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslStoreProviderUrlStreamHandlerFactory.java
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslStoreProviderUrlStreamHandlerFactory.java
@ -1,111 +0,0 @@
 /*
 * Copyright 2012-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.boot.web.embedded.tomcat;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLStreamHandler;
 import java.net.URLStreamHandlerFactory;
 import java.security.KeyStore;
 import org.springframework.boot.web.server.SslStoreProvider;
 /**
 * A {@link URLStreamHandlerFactory} that provides a {@link URLStreamHandler} for
 * accessing an {@link SslStoreProvider}'s key store and trust store from a URL.
 *
 * @author Andy Wilkinson
 */
 class SslStoreProviderUrlStreamHandlerFactory implements URLStreamHandlerFactory {
 	private static final String PROTOCOL = "springbootssl";
 	private static final String KEY_STORE_PATH = "keyStore";
 	static final String KEY_STORE_URL = PROTOCOL + ":" + KEY_STORE_PATH;
 	private static final String TRUST_STORE_PATH = "trustStore";
 	static final String TRUST_STORE_URL = PROTOCOL + ":" + TRUST_STORE_PATH;
 	private final SslStoreProvider sslStoreProvider;
 	SslStoreProviderUrlStreamHandlerFactory(SslStoreProvider sslStoreProvider) {
 		this.sslStoreProvider = sslStoreProvider;
 	}
 	@Override
 	public URLStreamHandler createURLStreamHandler(String protocol) {
 		if (PROTOCOL.equals(protocol)) {
 			return new URLStreamHandler() {
 				@Override
 				protected URLConnection openConnection(URL url) throws IOException {
 					try {
 						if (KEY_STORE_PATH.equals(url.getPath())) {
 							return new KeyStoreUrlConnection(url,
 									SslStoreProviderUrlStreamHandlerFactory.this.sslStoreProvider.getKeyStore());
 						}
 						if (TRUST_STORE_PATH.equals(url.getPath())) {
 							return new KeyStoreUrlConnection(url,
 									SslStoreProviderUrlStreamHandlerFactory.this.sslStoreProvider.getTrustStore());
 						}
 					}
 					catch (Exception ex) {
 						throw new IOException(ex);
 					}
 					throw new IOException("Invalid path: " + url.getPath());
 				}
 			};
 		}
 		return null;
 	}
 	private static final class KeyStoreUrlConnection extends URLConnection {
 		private final KeyStore keyStore;
 		private KeyStoreUrlConnection(URL url, KeyStore keyStore) {
 			super(url);
 			this.keyStore = keyStore;
 		}
 		@Override
 		public void connect() throws IOException {
 		}
 		@Override
 		public InputStream getInputStream() throws IOException {
 			try {
 				ByteArrayOutputStream stream = new ByteArrayOutputStream();
 				this.keyStore.store(stream, new char[0]);
 				return new ByteArrayInputStream(stream.toByteArray());
 			}
 			catch (Exception ex) {
 				throw new IOException(ex);
 			}
 		}
 	}
 }
--- a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
+++ b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,13 +23,15 @@ import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.util.Set;
 import java.util.stream.Collectors;
 import org.apache.catalina.LifecycleState;
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory;
 import org.apache.coyote.http11.Http11NioProtocol;
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@ -53,6 +55,8 @@ import static org.mockito.Mockito.mock;
 * Tests for {@link SslConnectorCustomizer}
 *
 * @author Brian Clozel
 * @author Andy Wilkinson
 * @author Scott Frederick
 */
@ExtendWith(OutputCaptureExtension.class)
 class SslConnectorCustomizerTests {
@ -129,7 +133,8 @@ class SslConnectorCustomizerTests {
 		ssl.setKeyPassword("password");
 		ssl.setTrustStore("src/test/resources/test.jks");
 		SslStoreProvider sslStoreProvider = mock(SslStoreProvider.class);
-		given(sslStoreProvider.getKeyStore()).willReturn(loadStore());
+		KeyStore keyStore = loadStore();
 		given(sslStoreProvider.getKeyStore()).willReturn(keyStore);
 		SslConnectorCustomizer customizer = new SslConnectorCustomizer(ssl, sslStoreProvider);
 		Connector connector = this.tomcat.getConnector();
 		customizer.customize(connector);
@ -137,8 +142,9 @@ class SslConnectorCustomizerTests {
 		SSLHostConfig sslHostConfig = connector.getProtocolHandler().findSslHostConfigs()[0];
 		SSLHostConfig sslHostConfigWithDefaults = new SSLHostConfig();
 		assertThat(sslHostConfig.getTruststoreFile()).isEqualTo(sslHostConfigWithDefaults.getTruststoreFile());
-		assertThat(sslHostConfig.getCertificateKeystoreFile())
+		Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates();
-				.isEqualTo(SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL);
+		assertThat(certificates).hasSize(1);
 		assertThat(certificates.iterator().next().getCertificateKeystore()).isEqualTo(keyStore);
 	}
 	@Test
@ -147,7 +153,8 @@ class SslConnectorCustomizerTests {
 		ssl.setKeyPassword("password");
 		ssl.setKeyStore("src/test/resources/test.jks");
 		SslStoreProvider sslStoreProvider = mock(SslStoreProvider.class);
-		given(sslStoreProvider.getTrustStore()).willReturn(loadStore());
+		KeyStore trustStore = loadStore();
 		given(sslStoreProvider.getTrustStore()).willReturn(trustStore);
 		SslConnectorCustomizer customizer = new SslConnectorCustomizer(ssl, sslStoreProvider);
 		Connector connector = this.tomcat.getConnector();
 		customizer.customize(connector);
@ -156,10 +163,11 @@ class SslConnectorCustomizerTests {
 		sslHostConfig.getCertificates(true);
 		SSLHostConfig sslHostConfigWithDefaults = new SSLHostConfig();
 		sslHostConfigWithDefaults.getCertificates(true);
-		assertThat(sslHostConfig.getTruststoreFile())
+		assertThat(sslHostConfig.getTruststore()).isEqualTo(trustStore);
-				.isEqualTo(SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL);
+		System.out.println(sslHostConfig.getCertificates(false).stream()
-		assertThat(sslHostConfig.getCertificateKeystoreFile())
+				.map(SSLHostConfigCertificate::getCertificateFile).collect(Collectors.toList()));
-				.contains(sslHostConfigWithDefaults.getCertificateKeystoreFile());
+		System.out.println(sslHostConfigWithDefaults.getCertificates(false).stream()
 				.map(SSLHostConfigCertificate::getCertificateFile).collect(Collectors.toList()));
 	}
 	@Test
@ -186,37 +194,6 @@ class SslConnectorCustomizerTests {
 				.withMessageContaining("Could not load key store 'null'");
 	}
 	@Test
 	void keyStorePasswordIsNotSetWhenNull() {
 		Http11NioProtocol protocol = (Http11NioProtocol) this.tomcat.getConnector().getProtocolHandler();
 		protocol.setKeystorePass("password");
 		Ssl ssl = new Ssl();
 		ssl.setKeyStore("src/test/resources/test.jks");
 		new SslConnectorCustomizer(ssl, null).customize(this.tomcat.getConnector());
 		assertThat(protocol.getKeystorePass()).isEqualTo("password");
 	}
 	@Test
 	void keyPasswordIsNotSetWhenNull() {
 		Http11NioProtocol protocol = (Http11NioProtocol) this.tomcat.getConnector().getProtocolHandler();
 		protocol.setKeyPass("password");
 		Ssl ssl = new Ssl();
 		ssl.setKeyStore("src/test/resources/test.jks");
 		new SslConnectorCustomizer(ssl, null).customize(this.tomcat.getConnector());
 		assertThat(protocol.getKeyPass()).isEqualTo("password");
 	}
 	@Test
 	void trustStorePasswordIsNotSetWhenNull() {
 		Http11NioProtocol protocol = (Http11NioProtocol) this.tomcat.getConnector().getProtocolHandler();
 		protocol.setTruststorePass("password");
 		Ssl ssl = new Ssl();
 		ssl.setKeyStore("src/test/resources/test.jks");
 		ssl.setTrustStore("src/test/resources/test.jks");
 		new SslConnectorCustomizer(ssl, null).customize(this.tomcat.getConnector());
 		assertThat(protocol.getTruststorePass()).isEqualTo("password");
 	}
 	private KeyStore loadStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
 		KeyStore keyStore = KeyStore.getInstance("JKS");
 		Resource resource = new ClassPathResource("test.jks");