root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Use empty key-store-password if storeprovider present 

For tomcat, if an SslStoreProvider is configured,
`SslStoreProviderUrlStreamHandlerFactory` stores the keyStore with an
empty password. Previously, if a password was supplied using the
ssl.key-store-password property, that would be the password used to
load the keystore and the connector would fail with a
"Password verification failed" exception.

Fixes gh-11391
This commit is contained in:
Madhura Bhave 2018-04-23 12:17:51 -07:00
parent a5f3f36b58
commit 877c4f702e
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
View File

@ -113,6 +113,7 @@ class SslConnectorCustomizer implements TomcatConnectorCustomizer {
new SslStoreProviderUrlStreamHandlerFactory(sslStoreProvider));
try {
if (sslStoreProvider.getKeyStore() != null) {
protocol.setKeystorePass("");
protocol.setKeystoreFile(SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL);
}
if (sslStoreProvider.getTrustStore() != null) {

16
spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
View File

@ -24,6 +24,7 @@ import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import org.apache.catalina.LifecycleState;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory;
@ -154,6 +155,21 @@ public class SslConnectorCustomizerTests {
assertThat(sslHostConfig.getCertificateKeystoreFile()).contains(sslHostConfigWithDefaults.getCertificateKeystoreFile());
}
@Test
public void customizeWhenSslStoreProviderPresentShouldIgnorePasswordFromSsl() throws Exception {
Ssl ssl = new Ssl();
ssl.setKeyPassword("password");
ssl.setKeyStorePassword("secret");
SslStoreProvider sslStoreProvider = mock(SslStoreProvider.class);
given(sslStoreProvider.getTrustStore()).willReturn(loadStore());
given(sslStoreProvider.getKeyStore()).willReturn(loadStore());
SslConnectorCustomizer customizer = new SslConnectorCustomizer(ssl, sslStoreProvider);
Connector connector = this.tomcat.getConnector();
customizer.customize(connector);
this.tomcat.start();
assertThat(connector.getState()).isEqualTo(LifecycleState.STARTED);
}
private KeyStore loadStore() throws KeyStoreException, IOException,
NoSuchAlgorithmException, CertificateException {
KeyStore keyStore = KeyStore.getInstance("JKS");