From 1b61bc1f2094e38e3c0c3491688d38ea3d6af7f9 Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Fri, 27 Oct 2023 21:07:24 -0700 Subject: [PATCH] Move PEM verification to spring-boot-autoconfigure Move `KeyVerifier` to spring-boot-autoconfigure to reduce the public API required in `PemSslStoreBundle`. This commit also moves the verify property so that is can be set per store. Closes gh-38173 --- .../boot/autoconfigure/ssl}/KeyVerifier.java | 2 +- .../ssl/PemSslBundleProperties.java | 26 ++++----- .../ssl/PropertiesSslBundle.java | 44 ++++++++++++--- .../autoconfigure/ssl}/KeyVerifierTests.java | 4 +- .../ssl/PropertiesSslBundleTests.java | 48 +++++++++++++++++ .../boot/autoconfigure/ssl}/key1.crt | 0 .../boot/autoconfigure/ssl}/key1.pem | 0 .../boot/autoconfigure/ssl}/key2-chain.crt | 0 .../boot/autoconfigure/ssl}/key2.crt | 0 .../boot/autoconfigure/ssl}/key2.pem | 0 .../boot/ssl/pem/PemSslStoreBundle.java | 53 +++++-------------- .../boot/ssl/pem/PemSslStoreBundleTests.java | 34 +----------- 12 files changed, 113 insertions(+), 98 deletions(-) rename spring-boot-project/{spring-boot/src/main/java/org/springframework/boot/ssl/pem => spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl}/KeyVerifier.java (98%) rename spring-boot-project/{spring-boot/src/test/java/org/springframework/boot/ssl/pem => spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl}/KeyVerifierTests.java (96%) rename spring-boot-project/{spring-boot/src/test/resources/org/springframework/boot/ssl/pem => spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl}/key1.crt (100%) rename spring-boot-project/{spring-boot/src/test/resources/org/springframework/boot/ssl/pem => spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl}/key1.pem (100%) rename spring-boot-project/{spring-boot/src/test/resources/org/springframework/boot/ssl/pem => spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl}/key2-chain.crt (100%) rename spring-boot-project/{spring-boot/src/test/resources/org/springframework/boot/ssl/pem => spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl}/key2.crt (100%) rename spring-boot-project/{spring-boot/src/test/resources/org/springframework/boot/ssl/pem => spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl}/key2.pem (100%) diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/KeyVerifier.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/KeyVerifier.java similarity index 98% rename from spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/KeyVerifier.java rename to spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/KeyVerifier.java index 6b79c0a305e..65d68134e06 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/KeyVerifier.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/KeyVerifier.java @@ -14,7 +14,7 @@ * limitations under the License. */ -package org.springframework.boot.ssl.pem; +package org.springframework.boot.autoconfigure.ssl; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PemSslBundleProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PemSslBundleProperties.java index d98939350f9..7870c6b0592 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PemSslBundleProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PemSslBundleProperties.java @@ -39,11 +39,6 @@ public class PemSslBundleProperties extends SslBundleProperties { */ private final Store truststore = new Store(); - /** - * Whether to verify that the private key matches the public key. - */ - private boolean verifyKeys; - public Store getKeystore() { return this.keystore; } @@ -52,14 +47,6 @@ public class PemSslBundleProperties extends SslBundleProperties { return this.truststore; } - public boolean isVerifyKeys() { - return this.verifyKeys; - } - - public void setVerifyKeys(boolean verifyKeys) { - this.verifyKeys = verifyKeys; - } - /** * Store properties. */ @@ -85,6 +72,11 @@ public class PemSslBundleProperties extends SslBundleProperties { */ private String privateKeyPassword; + /** + * Whether to verify that the private key matches the public key. + */ + private boolean verifyKeys; + public String getType() { return this.type; } @@ -117,6 +109,14 @@ public class PemSslBundleProperties extends SslBundleProperties { this.privateKeyPassword = privateKeyPassword; } + public boolean isVerifyKeys() { + return this.verifyKeys; + } + + public void setVerifyKeys(boolean verifyKeys) { + this.verifyKeys = verifyKeys; + } + } } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java index 96188861a12..12a1847b24c 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java @@ -16,6 +16,10 @@ package org.springframework.boot.autoconfigure.ssl; +import java.io.IOException; +import java.io.UncheckedIOException; +import java.security.cert.X509Certificate; + import org.springframework.boot.autoconfigure.ssl.SslBundleProperties.Key; import org.springframework.boot.ssl.SslBundle; import org.springframework.boot.ssl.SslBundleKey; @@ -24,6 +28,7 @@ import org.springframework.boot.ssl.SslOptions; import org.springframework.boot.ssl.SslStoreBundle; import org.springframework.boot.ssl.jks.JksSslStoreBundle; import org.springframework.boot.ssl.jks.JksSslStoreDetails; +import org.springframework.boot.ssl.pem.PemSslStore; import org.springframework.boot.ssl.pem.PemSslStoreBundle; import org.springframework.boot.ssl.pem.PemSslStoreDetails; @@ -107,16 +112,39 @@ public final class PropertiesSslBundle implements SslBundle { } private static SslStoreBundle asSslStoreBundle(PemSslBundleProperties properties) { - PemSslStoreDetails keyStoreDetails = asStoreDetails(properties.getKeystore()) - .withAlias(properties.getKey().getAlias()); - PemSslStoreDetails trustStoreDetails = asStoreDetails(properties.getTruststore()) - .withAlias(properties.getKey().getAlias()); - return new PemSslStoreBundle(keyStoreDetails, trustStoreDetails, properties.isVerifyKeys()); + PemSslStore keyStore = asPemSslStore(properties.getKeystore(), properties.getKey().getAlias()); + PemSslStore trustStore = asPemSslStore(properties.getTruststore(), properties.getKey().getAlias()); + return new PemSslStoreBundle(keyStore, trustStore); } - private static PemSslStoreDetails asStoreDetails(PemSslBundleProperties.Store properties) { - return new PemSslStoreDetails(properties.getType(), properties.getCertificate(), properties.getPrivateKey(), - properties.getPrivateKeyPassword()); + private static PemSslStore asPemSslStore(PemSslBundleProperties.Store properties, String alias) { + try { + PemSslStoreDetails details = asStoreDetails(properties, alias); + PemSslStore pemSslStore = PemSslStore.load(details); + if (properties.isVerifyKeys()) { + verifyPemSslStoreKeys(pemSslStore); + } + return pemSslStore; + } + catch (IOException ex) { + throw new UncheckedIOException(ex); + } + } + + private static void verifyPemSslStoreKeys(PemSslStore pemSslStore) { + KeyVerifier keyVerifier = new KeyVerifier(); + for (X509Certificate certificate : pemSslStore.certificates()) { + KeyVerifier.Result result = keyVerifier.matches(pemSslStore.privateKey(), certificate.getPublicKey()); + if (result == KeyVerifier.Result.YES) { + return; + } + } + throw new IllegalStateException("Private key matches none of the certificates in the chain"); + } + + private static PemSslStoreDetails asStoreDetails(PemSslBundleProperties.Store properties, String alias) { + return new PemSslStoreDetails(properties.getType(), alias, null, properties.getCertificate(), + properties.getPrivateKey(), properties.getPrivateKeyPassword()); } private static SslStoreBundle asSslStoreBundle(JksSslBundleProperties properties) { diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/KeyVerifierTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/KeyVerifierTests.java similarity index 96% rename from spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/KeyVerifierTests.java rename to spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/KeyVerifierTests.java index 4f681ce77f9..269b824a678 100644 --- a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/KeyVerifierTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/KeyVerifierTests.java @@ -14,7 +14,7 @@ * limitations under the License. */ -package org.springframework.boot.ssl.pem; +package org.springframework.boot.autoconfigure.ssl; import java.security.InvalidAlgorithmParameterException; import java.security.KeyPair; @@ -33,7 +33,7 @@ import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; -import org.springframework.boot.ssl.pem.KeyVerifier.Result; +import org.springframework.boot.autoconfigure.ssl.KeyVerifier.Result; import static org.assertj.core.api.Assertions.assertThat; diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java index 1b745328310..6143a7919d3 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java @@ -20,12 +20,15 @@ import java.security.Key; import java.security.KeyStore; import java.security.cert.Certificate; import java.util.Set; +import java.util.function.Consumer; import org.junit.jupiter.api.Test; import org.springframework.boot.ssl.SslBundle; +import org.springframework.util.function.ThrowingConsumer; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatIllegalStateException; /** * Tests for {@link PropertiesSslBundle}. @@ -35,6 +38,8 @@ import static org.assertj.core.api.Assertions.assertThat; */ class PropertiesSslBundleTests { + private static final char[] EMPTY_KEY_PASSWORD = new char[] {}; + @Test void pemPropertiesAreMappedToSslBundle() throws Exception { PemSslBundleProperties properties = new PemSslBundleProperties(); @@ -99,4 +104,47 @@ class PropertiesSslBundleTests { assertThat(trustStore.getProvider().getName()).isEqualTo("SUN"); } + @Test + void getWithPemSslBundlePropertiesWhenVerifyKeyStoreAgainstSingleCertificateWithMatchCreatesBundle() { + PemSslBundleProperties properties = new PemSslBundleProperties(); + properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key1.crt"); + properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key1.pem"); + properties.getKeystore().setVerifyKeys(true); + properties.getKey().setAlias("test-alias"); + SslBundle bundle = PropertiesSslBundle.get(properties); + assertThat(bundle.getStores().getKeyStore()).satisfies(storeContainingCertAndKey("test-alias")); + } + + @Test + void getWithPemSslBundlePropertiesWhenVerifyKeyStoreAgainstCertificateChainWithMatchCreatesBundle() { + PemSslBundleProperties properties = new PemSslBundleProperties(); + properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key2-chain.crt"); + properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key2.pem"); + properties.getKeystore().setVerifyKeys(true); + properties.getKey().setAlias("test-alias"); + SslBundle bundle = PropertiesSslBundle.get(properties); + assertThat(bundle.getStores().getKeyStore()).satisfies(storeContainingCertAndKey("test-alias")); + } + + @Test + void getWithPemSslBundlePropertiesWhenVerifyKeyStoreWithNoMatchThrowsException() { + PemSslBundleProperties properties = new PemSslBundleProperties(); + properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key2.crt"); + properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key1.pem"); + properties.getKeystore().setVerifyKeys(true); + properties.getKey().setAlias("test-alias"); + assertThatIllegalStateException().isThrownBy(() -> PropertiesSslBundle.get(properties)) + .withMessageContaining("Private key matches none of the certificates"); + } + + private Consumer storeContainingCertAndKey(String keyAlias) { + return ThrowingConsumer.of((keyStore) -> { + assertThat(keyStore).isNotNull(); + assertThat(keyStore.getType()).isEqualTo(KeyStore.getDefaultType()); + assertThat(keyStore.containsAlias(keyAlias)).isTrue(); + assertThat(keyStore.getCertificate(keyAlias)).isNotNull(); + assertThat(keyStore.getKey(keyAlias, EMPTY_KEY_PASSWORD)).isNotNull(); + }); + } + } diff --git a/spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key1.crt b/spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key1.crt similarity index 100% rename from spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key1.crt rename to spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key1.crt diff --git a/spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key1.pem b/spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key1.pem similarity index 100% rename from spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key1.pem rename to spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key1.pem diff --git a/spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key2-chain.crt b/spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key2-chain.crt similarity index 100% rename from spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key2-chain.crt rename to spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key2-chain.crt diff --git a/spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key2.crt b/spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key2.crt similarity index 100% rename from spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key2.crt rename to spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key2.crt diff --git a/spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key2.pem b/spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key2.pem similarity index 100% rename from spring-boot-project/spring-boot/src/test/resources/org/springframework/boot/ssl/pem/key2.pem rename to spring-boot-project/spring-boot-autoconfigure/src/test/resources/org/springframework/boot/autoconfigure/ssl/key2.pem diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java index b5ad0b5b46e..441d9cfb3f8 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java @@ -51,8 +51,9 @@ public class PemSslStoreBundle implements SslStoreBundle { * @param keyStoreDetails the key store details * @param trustStoreDetails the trust store details */ + @SuppressWarnings("removal") public PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails) { - this(keyStoreDetails, trustStoreDetails, null, false); + this(keyStoreDetails, trustStoreDetails, null); } /** @@ -66,26 +67,9 @@ public class PemSslStoreBundle implements SslStoreBundle { */ @Deprecated(since = "3.2.0", forRemoval = true) public PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails, String alias) { - this(keyStoreDetails, trustStoreDetails, alias, false); - } - - /** - * Create a new {@link PemSslStoreBundle} instance. - * @param keyStoreDetails the key store details - * @param trustStoreDetails the trust store details - * @param verifyKeys whether to verify that the private key matches the public key - * @since 3.2.0 - */ - public PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails, - boolean verifyKeys) { - this(keyStoreDetails, trustStoreDetails, null, verifyKeys); - } - - private PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails, String alias, - boolean verifyKeys) { try { - this.keyStore = createKeyStore("key", PemSslStore.load(keyStoreDetails), alias, verifyKeys); - this.trustStore = createKeyStore("trust", PemSslStore.load(trustStoreDetails), alias, verifyKeys); + this.keyStore = createKeyStore("key", PemSslStore.load(keyStoreDetails), alias); + this.trustStore = createKeyStore("trust", PemSslStore.load(trustStoreDetails), alias); } catch (IOException ex) { throw new UncheckedIOException(ex); @@ -96,13 +80,15 @@ public class PemSslStoreBundle implements SslStoreBundle { * Create a new {@link PemSslStoreBundle} instance. * @param pemKeyStore the PEM key store * @param pemTrustStore the PEM trust store - * @param alias the alias to use or {@code null} to use a default alias - * @param verifyKeys whether to verify that the private key matches the public key * @since 3.2.0 */ - public PemSslStoreBundle(PemSslStore pemKeyStore, PemSslStore pemTrustStore, String alias, boolean verifyKeys) { - this.keyStore = createKeyStore("key", pemKeyStore, alias, verifyKeys); - this.trustStore = createKeyStore("trust", pemTrustStore, alias, verifyKeys); + public PemSslStoreBundle(PemSslStore pemKeyStore, PemSslStore pemTrustStore) { + this(pemKeyStore, pemTrustStore, null); + } + + private PemSslStoreBundle(PemSslStore pemKeyStore, PemSslStore pemTrustStore, String alias) { + this.keyStore = createKeyStore("key", pemKeyStore, alias); + this.trustStore = createKeyStore("trust", pemTrustStore, alias); } @Override @@ -120,7 +106,7 @@ public class PemSslStoreBundle implements SslStoreBundle { return this.trustStore; } - private static KeyStore createKeyStore(String name, PemSslStore pemSslStore, String alias, boolean verifyKeys) { + private static KeyStore createKeyStore(String name, PemSslStore pemSslStore, String alias) { if (pemSslStore == null) { return null; } @@ -132,9 +118,6 @@ public class PemSslStoreBundle implements SslStoreBundle { List certificates = pemSslStore.certificates(); PrivateKey privateKey = pemSslStore.privateKey(); if (privateKey != null) { - if (verifyKeys) { - verifyKeys(privateKey, certificates); - } addPrivateKey(store, privateKey, alias, pemSslStore.password(), certificates); } else { @@ -154,18 +137,6 @@ public class PemSslStoreBundle implements SslStoreBundle { return store; } - private static void verifyKeys(PrivateKey privateKey, List certificateChain) { - KeyVerifier keyVerifier = new KeyVerifier(); - // Key should match one of the certificates - for (X509Certificate certificate : certificateChain) { - KeyVerifier.Result result = keyVerifier.matches(privateKey, certificate.getPublicKey()); - if (result == KeyVerifier.Result.YES) { - return; - } - } - throw new IllegalStateException("Private key matches none of the certificates in the chain"); - } - private static void addPrivateKey(KeyStore keyStore, PrivateKey privateKey, String alias, String keyPassword, List certificateChain) throws KeyStoreException { keyStore.setKeyEntry(alias, privateKey, (keyPassword != null) ? keyPassword.toCharArray() : null, diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemSslStoreBundleTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemSslStoreBundleTests.java index c6759036d35..b3490193106 100644 --- a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemSslStoreBundleTests.java +++ b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemSslStoreBundleTests.java @@ -27,7 +27,6 @@ import org.junit.jupiter.api.Test; import org.springframework.util.function.ThrowingConsumer; import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatIllegalStateException; /** * Tests for {@link PemSslStoreBundle}. @@ -206,43 +205,12 @@ class PemSslStoreBundleTests { assertThat(bundle.getTrustStore()).satisfies(storeContainingCertAndKey("tsa", "tss".toCharArray())); } - @Test - void shouldVerifyKeysIfEnabled() { - PemSslStoreDetails keyStoreDetails = PemSslStoreDetails - .forCertificate("classpath:org/springframework/boot/ssl/pem/key1.crt") - .withPrivateKey("classpath:org/springframework/boot/ssl/pem/key1.pem") - .withAlias("test-alias") - .withPassword("keysecret"); - PemSslStoreBundle bundle = new PemSslStoreBundle(keyStoreDetails, null, true); - assertThat(bundle.getKeyStore()).satisfies(storeContainingCertAndKey("test-alias", "keysecret".toCharArray())); - } - - @Test - void shouldVerifyKeysIfEnabledAndCertificateChainIsUsed() { - PemSslStoreDetails keyStoreDetails = PemSslStoreDetails - .forCertificates("classpath:org/springframework/boot/ssl/pem/key2-chain.crt") - .withPrivateKey("classpath:org/springframework/boot/ssl/pem/key2.pem") - .withAlias("test-alias") - .withPassword("keysecret"); - PemSslStoreBundle bundle = new PemSslStoreBundle(keyStoreDetails, null, true); - assertThat(bundle.getKeyStore()).satisfies(storeContainingCertAndKey("test-alias", "keysecret".toCharArray())); - } - - @Test - void shouldFailIfVerifyKeysIsEnabledAndKeysDontMatch() { - PemSslStoreDetails keyStoreDetails = PemSslStoreDetails - .forCertificate("classpath:org/springframework/boot/ssl/pem/key2.crt") - .withPrivateKey("classpath:org/springframework/boot/ssl/pem/key1.pem"); - assertThatIllegalStateException().isThrownBy(() -> new PemSslStoreBundle(keyStoreDetails, null, true)) - .withMessageContaining("Private key matches none of the certificates"); - } - @Test void createWithPemSslStoreCreatesInstance() { List certificates = PemContent.of(CERTIFICATE).getCertificates(); PrivateKey privateKey = PemContent.of(PRIVATE_KEY).getPrivateKey(); PemSslStore pemSslStore = PemSslStore.of(certificates, privateKey); - PemSslStoreBundle bundle = new PemSslStoreBundle(pemSslStore, pemSslStore, null, false); + PemSslStoreBundle bundle = new PemSslStoreBundle(pemSslStore, pemSslStore); assertThat(bundle.getKeyStore()).satisfies(storeContainingCertAndKey("ssl")); assertThat(bundle.getTrustStore()).satisfies(storeContainingCertAndKey("ssl")); }