Move PEM verification to spring-boot-autoconfigure

Move `KeyVerifier` to spring-boot-autoconfigure to reduce the
public API required in `PemSslStoreBundle`.

This commit also moves the verify property so that is can be set
per store.

Closes gh-38173

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/KeyVerifier.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.ssl.pem;
+package org.springframework.boot.autoconfigure.ssl;
 
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PemSslBundleProperties.java

@@ -39,11 +39,6 @@ public class PemSslBundleProperties extends SslBundleProperties {
 	 */
 	private final Store truststore = new Store();
 
-	/**
-	 * Whether to verify that the private key matches the public key.
-	 */
-	private boolean verifyKeys;
-
 	public Store getKeystore() {
 		return this.keystore;
 	}
@@ -52,14 +47,6 @@ public class PemSslBundleProperties extends SslBundleProperties {
 		return this.truststore;
 	}
 
-	public boolean isVerifyKeys() {
-		return this.verifyKeys;
-	}
-
-	public void setVerifyKeys(boolean verifyKeys) {
-		this.verifyKeys = verifyKeys;
-	}
-
 	/**
 	 * Store properties.
 	 */
@@ -85,6 +72,11 @@ public class PemSslBundleProperties extends SslBundleProperties {
 		 */
 		private String privateKeyPassword;
 
+		/**
+		 * Whether to verify that the private key matches the public key.
+		 */
+		private boolean verifyKeys;
+
 		public String getType() {
 			return this.type;
 		}
@@ -117,6 +109,14 @@ public class PemSslBundleProperties extends SslBundleProperties {
 			this.privateKeyPassword = privateKeyPassword;
 		}
 
+		public boolean isVerifyKeys() {
+			return this.verifyKeys;
+		}
+
+		public void setVerifyKeys(boolean verifyKeys) {
+			this.verifyKeys = verifyKeys;
+		}
+
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java

@@ -16,6 +16,10 @@
 
 package org.springframework.boot.autoconfigure.ssl;
 
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.security.cert.X509Certificate;
+
 import org.springframework.boot.autoconfigure.ssl.SslBundleProperties.Key;
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslBundleKey;
@@ -24,6 +28,7 @@ import org.springframework.boot.ssl.SslOptions;
 import org.springframework.boot.ssl.SslStoreBundle;
 import org.springframework.boot.ssl.jks.JksSslStoreBundle;
 import org.springframework.boot.ssl.jks.JksSslStoreDetails;
+import org.springframework.boot.ssl.pem.PemSslStore;
 import org.springframework.boot.ssl.pem.PemSslStoreBundle;
 import org.springframework.boot.ssl.pem.PemSslStoreDetails;
 
@@ -107,16 +112,39 @@ public final class PropertiesSslBundle implements SslBundle {
 	}
 
 	private static SslStoreBundle asSslStoreBundle(PemSslBundleProperties properties) {
-		PemSslStoreDetails keyStoreDetails = asStoreDetails(properties.getKeystore())
+		PemSslStore keyStore = asPemSslStore(properties.getKeystore(), properties.getKey().getAlias());
-			.withAlias(properties.getKey().getAlias());
+		PemSslStore trustStore = asPemSslStore(properties.getTruststore(), properties.getKey().getAlias());
-		PemSslStoreDetails trustStoreDetails = asStoreDetails(properties.getTruststore())
+		return new PemSslStoreBundle(keyStore, trustStore);
-			.withAlias(properties.getKey().getAlias());
-		return new PemSslStoreBundle(keyStoreDetails, trustStoreDetails, properties.isVerifyKeys());
 	}
 
-	private static PemSslStoreDetails asStoreDetails(PemSslBundleProperties.Store properties) {
+	private static PemSslStore asPemSslStore(PemSslBundleProperties.Store properties, String alias) {
-		return new PemSslStoreDetails(properties.getType(), properties.getCertificate(), properties.getPrivateKey(),
+		try {
-				properties.getPrivateKeyPassword());
+			PemSslStoreDetails details = asStoreDetails(properties, alias);
+			PemSslStore pemSslStore = PemSslStore.load(details);
+			if (properties.isVerifyKeys()) {
+				verifyPemSslStoreKeys(pemSslStore);
+			}
+			return pemSslStore;
+		}
+		catch (IOException ex) {
+			throw new UncheckedIOException(ex);
+		}
+	}
+
+	private static void verifyPemSslStoreKeys(PemSslStore pemSslStore) {
+		KeyVerifier keyVerifier = new KeyVerifier();
+		for (X509Certificate certificate : pemSslStore.certificates()) {
+			KeyVerifier.Result result = keyVerifier.matches(pemSslStore.privateKey(), certificate.getPublicKey());
+			if (result == KeyVerifier.Result.YES) {
+				return;
+			}
+		}
+		throw new IllegalStateException("Private key matches none of the certificates in the chain");
+	}
+
+	private static PemSslStoreDetails asStoreDetails(PemSslBundleProperties.Store properties, String alias) {
+		return new PemSslStoreDetails(properties.getType(), alias, null, properties.getCertificate(),
+				properties.getPrivateKey(), properties.getPrivateKeyPassword());
 	}
 
 	private static SslStoreBundle asSslStoreBundle(JksSslBundleProperties properties) {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/KeyVerifierTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.ssl.pem;
+package org.springframework.boot.autoconfigure.ssl;
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
@@ -33,7 +33,7 @@ import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 
-import org.springframework.boot.ssl.pem.KeyVerifier.Result;
+import org.springframework.boot.autoconfigure.ssl.KeyVerifier.Result;
 
 import static org.assertj.core.api.Assertions.assertThat;
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java

@@ -20,12 +20,15 @@ import java.security.Key;
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.util.Set;
+import java.util.function.Consumer;
 
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.ssl.SslBundle;
+import org.springframework.util.function.ThrowingConsumer;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
 
 /**
  * Tests for {@link PropertiesSslBundle}.
@@ -35,6 +38,8 @@ import static org.assertj.core.api.Assertions.assertThat;
  */
 class PropertiesSslBundleTests {
 
+	private static final char[] EMPTY_KEY_PASSWORD = new char[] {};
+
 	@Test
 	void pemPropertiesAreMappedToSslBundle() throws Exception {
 		PemSslBundleProperties properties = new PemSslBundleProperties();
@@ -99,4 +104,47 @@ class PropertiesSslBundleTests {
 		assertThat(trustStore.getProvider().getName()).isEqualTo("SUN");
 	}
 
+	@Test
+	void getWithPemSslBundlePropertiesWhenVerifyKeyStoreAgainstSingleCertificateWithMatchCreatesBundle() {
+		PemSslBundleProperties properties = new PemSslBundleProperties();
+		properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key1.crt");
+		properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key1.pem");
+		properties.getKeystore().setVerifyKeys(true);
+		properties.getKey().setAlias("test-alias");
+		SslBundle bundle = PropertiesSslBundle.get(properties);
+		assertThat(bundle.getStores().getKeyStore()).satisfies(storeContainingCertAndKey("test-alias"));
+	}
+
+	@Test
+	void getWithPemSslBundlePropertiesWhenVerifyKeyStoreAgainstCertificateChainWithMatchCreatesBundle() {
+		PemSslBundleProperties properties = new PemSslBundleProperties();
+		properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key2-chain.crt");
+		properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key2.pem");
+		properties.getKeystore().setVerifyKeys(true);
+		properties.getKey().setAlias("test-alias");
+		SslBundle bundle = PropertiesSslBundle.get(properties);
+		assertThat(bundle.getStores().getKeyStore()).satisfies(storeContainingCertAndKey("test-alias"));
+	}
+
+	@Test
+	void getWithPemSslBundlePropertiesWhenVerifyKeyStoreWithNoMatchThrowsException() {
+		PemSslBundleProperties properties = new PemSslBundleProperties();
+		properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key2.crt");
+		properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key1.pem");
+		properties.getKeystore().setVerifyKeys(true);
+		properties.getKey().setAlias("test-alias");
+		assertThatIllegalStateException().isThrownBy(() -> PropertiesSslBundle.get(properties))
+			.withMessageContaining("Private key matches none of the certificates");
+	}
+
+	private Consumer<KeyStore> storeContainingCertAndKey(String keyAlias) {
+		return ThrowingConsumer.of((keyStore) -> {
+			assertThat(keyStore).isNotNull();
+			assertThat(keyStore.getType()).isEqualTo(KeyStore.getDefaultType());
+			assertThat(keyStore.containsAlias(keyAlias)).isTrue();
+			assertThat(keyStore.getCertificate(keyAlias)).isNotNull();
+			assertThat(keyStore.getKey(keyAlias, EMPTY_KEY_PASSWORD)).isNotNull();
+		});
+	}
+
 }

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java

@@ -51,8 +51,9 @@ public class PemSslStoreBundle implements SslStoreBundle {
 	 * @param keyStoreDetails the key store details
 	 * @param trustStoreDetails the trust store details
 	 */
+	@SuppressWarnings("removal")
 	public PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails) {
-		this(keyStoreDetails, trustStoreDetails, null, false);
+		this(keyStoreDetails, trustStoreDetails, null);
 	}
 
 	/**
@@ -66,26 +67,9 @@ public class PemSslStoreBundle implements SslStoreBundle {
 	 */
 	@Deprecated(since = "3.2.0", forRemoval = true)
 	public PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails, String alias) {
-		this(keyStoreDetails, trustStoreDetails, alias, false);
-	}
-
-	/**
-	 * Create a new {@link PemSslStoreBundle} instance.
-	 * @param keyStoreDetails the key store details
-	 * @param trustStoreDetails the trust store details
-	 * @param verifyKeys whether to verify that the private key matches the public key
-	 * @since 3.2.0
-	 */
-	public PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails,
-			boolean verifyKeys) {
-		this(keyStoreDetails, trustStoreDetails, null, verifyKeys);
-	}
-
-	private PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails, String alias,
-			boolean verifyKeys) {
 		try {
-			this.keyStore = createKeyStore("key", PemSslStore.load(keyStoreDetails), alias, verifyKeys);
+			this.keyStore = createKeyStore("key", PemSslStore.load(keyStoreDetails), alias);
-			this.trustStore = createKeyStore("trust", PemSslStore.load(trustStoreDetails), alias, verifyKeys);
+			this.trustStore = createKeyStore("trust", PemSslStore.load(trustStoreDetails), alias);
 		}
 		catch (IOException ex) {
 			throw new UncheckedIOException(ex);
@@ -96,13 +80,15 @@ public class PemSslStoreBundle implements SslStoreBundle {
 	 * Create a new {@link PemSslStoreBundle} instance.
 	 * @param pemKeyStore the PEM key store
 	 * @param pemTrustStore the PEM trust store
-	 * @param alias the alias to use or {@code null} to use a default alias
-	 * @param verifyKeys whether to verify that the private key matches the public key
 	 * @since 3.2.0
 	 */
-	public PemSslStoreBundle(PemSslStore pemKeyStore, PemSslStore pemTrustStore, String alias, boolean verifyKeys) {
+	public PemSslStoreBundle(PemSslStore pemKeyStore, PemSslStore pemTrustStore) {
-		this.keyStore = createKeyStore("key", pemKeyStore, alias, verifyKeys);
+		this(pemKeyStore, pemTrustStore, null);
-		this.trustStore = createKeyStore("trust", pemTrustStore, alias, verifyKeys);
+	}
+
+	private PemSslStoreBundle(PemSslStore pemKeyStore, PemSslStore pemTrustStore, String alias) {
+		this.keyStore = createKeyStore("key", pemKeyStore, alias);
+		this.trustStore = createKeyStore("trust", pemTrustStore, alias);
 	}
 
 	@Override
@@ -120,7 +106,7 @@ public class PemSslStoreBundle implements SslStoreBundle {
 		return this.trustStore;
 	}
 
-	private static KeyStore createKeyStore(String name, PemSslStore pemSslStore, String alias, boolean verifyKeys) {
+	private static KeyStore createKeyStore(String name, PemSslStore pemSslStore, String alias) {
 		if (pemSslStore == null) {
 			return null;
 		}
@@ -132,9 +118,6 @@ public class PemSslStoreBundle implements SslStoreBundle {
 			List<X509Certificate> certificates = pemSslStore.certificates();
 			PrivateKey privateKey = pemSslStore.privateKey();
 			if (privateKey != null) {
-				if (verifyKeys) {
-					verifyKeys(privateKey, certificates);
-				}
 				addPrivateKey(store, privateKey, alias, pemSslStore.password(), certificates);
 			}
 			else {
@@ -154,18 +137,6 @@ public class PemSslStoreBundle implements SslStoreBundle {
 		return store;
 	}
 
-	private static void verifyKeys(PrivateKey privateKey, List<X509Certificate> certificateChain) {
-		KeyVerifier keyVerifier = new KeyVerifier();
-		// Key should match one of the certificates
-		for (X509Certificate certificate : certificateChain) {
-			KeyVerifier.Result result = keyVerifier.matches(privateKey, certificate.getPublicKey());
-			if (result == KeyVerifier.Result.YES) {
-				return;
-			}
-		}
-		throw new IllegalStateException("Private key matches none of the certificates in the chain");
-	}
-
 	private static void addPrivateKey(KeyStore keyStore, PrivateKey privateKey, String alias, String keyPassword,
 			List<X509Certificate> certificateChain) throws KeyStoreException {
 		keyStore.setKeyEntry(alias, privateKey, (keyPassword != null) ? keyPassword.toCharArray() : null,

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemSslStoreBundleTests.java

@@ -27,7 +27,6 @@ import org.junit.jupiter.api.Test;
 import org.springframework.util.function.ThrowingConsumer;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
 
 /**
  * Tests for {@link PemSslStoreBundle}.
@@ -206,43 +205,12 @@ class PemSslStoreBundleTests {
 		assertThat(bundle.getTrustStore()).satisfies(storeContainingCertAndKey("tsa", "tss".toCharArray()));
 	}
 
-	@Test
-	void shouldVerifyKeysIfEnabled() {
-		PemSslStoreDetails keyStoreDetails = PemSslStoreDetails
-			.forCertificate("classpath:org/springframework/boot/ssl/pem/key1.crt")
-			.withPrivateKey("classpath:org/springframework/boot/ssl/pem/key1.pem")
-			.withAlias("test-alias")
-			.withPassword("keysecret");
-		PemSslStoreBundle bundle = new PemSslStoreBundle(keyStoreDetails, null, true);
-		assertThat(bundle.getKeyStore()).satisfies(storeContainingCertAndKey("test-alias", "keysecret".toCharArray()));
-	}
-
-	@Test
-	void shouldVerifyKeysIfEnabledAndCertificateChainIsUsed() {
-		PemSslStoreDetails keyStoreDetails = PemSslStoreDetails
-			.forCertificates("classpath:org/springframework/boot/ssl/pem/key2-chain.crt")
-			.withPrivateKey("classpath:org/springframework/boot/ssl/pem/key2.pem")
-			.withAlias("test-alias")
-			.withPassword("keysecret");
-		PemSslStoreBundle bundle = new PemSslStoreBundle(keyStoreDetails, null, true);
-		assertThat(bundle.getKeyStore()).satisfies(storeContainingCertAndKey("test-alias", "keysecret".toCharArray()));
-	}
-
-	@Test
-	void shouldFailIfVerifyKeysIsEnabledAndKeysDontMatch() {
-		PemSslStoreDetails keyStoreDetails = PemSslStoreDetails
-			.forCertificate("classpath:org/springframework/boot/ssl/pem/key2.crt")
-			.withPrivateKey("classpath:org/springframework/boot/ssl/pem/key1.pem");
-		assertThatIllegalStateException().isThrownBy(() -> new PemSslStoreBundle(keyStoreDetails, null, true))
-			.withMessageContaining("Private key matches none of the certificates");
-	}
-
 	@Test
 	void createWithPemSslStoreCreatesInstance() {
 		List<X509Certificate> certificates = PemContent.of(CERTIFICATE).getCertificates();
 		PrivateKey privateKey = PemContent.of(PRIVATE_KEY).getPrivateKey();
 		PemSslStore pemSslStore = PemSslStore.of(certificates, privateKey);
-		PemSslStoreBundle bundle = new PemSslStoreBundle(pemSslStore, pemSslStore, null, false);
+		PemSslStoreBundle bundle = new PemSslStoreBundle(pemSslStore, pemSslStore);
 		assertThat(bundle.getKeyStore()).satisfies(storeContainingCertAndKey("ssl"));
 		assertThat(bundle.getTrustStore()).satisfies(storeContainingCertAndKey("ssl"));
 	}