From d3f177be7136da08afd0af190e916b64faa08ccb Mon Sep 17 00:00:00 2001 From: Moritz Halbritter Date: Thu, 2 Nov 2023 08:51:42 +0100 Subject: [PATCH] Polish SSL --- .../boot/autoconfigure/ssl/CertificateMatcher.java | 6 +++++- .../boot/autoconfigure/ssl/PropertiesSslBundle.java | 2 +- .../boot/autoconfigure/ssl/PropertiesSslBundleTests.java | 2 +- .../org/springframework/boot/ssl/pem/PemContent.java | 2 +- .../boot/ssl/pem/PemPrivateKeyParser.java | 7 ++----- .../org/springframework/boot/ssl/pem/PemSslStore.java | 2 +- .../springframework/boot/ssl/pem/PemSslStoreBundle.java | 1 - .../springframework/boot/ssl/pem/PemSslStoreDetails.java | 2 +- .../springframework/boot/ssl/pem/PemContentTests.java | 9 --------- 9 files changed, 12 insertions(+), 21 deletions(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/CertificateMatcher.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/CertificateMatcher.java index 343305fd289..3f25ecc2c0c 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/CertificateMatcher.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/CertificateMatcher.java @@ -26,6 +26,8 @@ import java.security.cert.Certificate; import java.util.List; import java.util.Objects; +import org.springframework.util.Assert; + /** * Helper used to match certificates against a {@link PrivateKey}. * @@ -48,14 +50,16 @@ class CertificateMatcher { private final byte[] generatedSignature; CertificateMatcher(PrivateKey privateKey) { + Assert.notNull(privateKey, "Private key must not be null"); this.privateKey = privateKey; this.signature = createSignature(privateKey); + Assert.notNull(this.signature, "Failed to create signature"); this.generatedSignature = sign(this.signature, privateKey); } private Signature createSignature(PrivateKey privateKey) { try { - String algorithm = getSignatureAlgorithm(this.privateKey); + String algorithm = getSignatureAlgorithm(privateKey); return (algorithm != null) ? Signature.getInstance(algorithm) : null; } catch (NoSuchAlgorithmException ex) { diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java index d8cfd084ab4..a76f5c2fa2b 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java @@ -120,7 +120,7 @@ public final class PropertiesSslBundle implements SslBundle { if (properties.isVerifyKeys()) { CertificateMatcher certificateMatcher = new CertificateMatcher(pemSslStore.privateKey()); Assert.state(certificateMatcher.matchesAny(pemSslStore.certificates()), - "Private key matches none of the certificates in the chain"); + "Private key in %s matches none of the certificates in the chain".formatted(propertyName)); } return pemSslStore; } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java index 52447f47b62..d6b770a3d92 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java @@ -134,7 +134,7 @@ class PropertiesSslBundleTests { properties.getKeystore().setVerifyKeys(true); properties.getKey().setAlias("test-alias"); assertThatIllegalStateException().isThrownBy(() -> PropertiesSslBundle.get(properties)) - .withMessageContaining("Private key matches none of the certificates"); + .withMessageContaining("Private key in keystore matches none of the certificates"); } private Consumer storeContainingCertAndKey(String keyAlias) { diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemContent.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemContent.java index 364a3f745a2..e6bb75a44bc 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemContent.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemContent.java @@ -48,7 +48,7 @@ public final class PemContent { private static final Pattern PEM_FOOTER = Pattern.compile("-+END\\s+[^-]*-+", Pattern.CASE_INSENSITIVE); - private String text; + private final String text; private PemContent(String text) { this.text = text; diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java index dbc5ca69727..113d490ea18 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java @@ -130,7 +130,7 @@ final class PemPrivateKeyParser { } Assert.state(parameters.isType(ValueType.ENCODED), "Key spec should contain encoded parameters"); DerElement contents = DerElement.of(parameters.getContents()); - Assert.state(contents.isType(ValueType.PRIMITIVE, TagType.OBJECT_IDENTIFIER), + Assert.state(contents != null && contents.isType(ValueType.PRIMITIVE, TagType.OBJECT_IDENTIFIER), "Key spec parameters should contain object identifier"); return getEcParameters(contents.getContents()); } @@ -237,6 +237,7 @@ final class PemPrivateKeyParser { return keyFactory.generatePrivate(keySpec); } catch (InvalidKeySpecException | NoSuchAlgorithmException ex) { + // Ignore } } return null; @@ -264,10 +265,6 @@ final class PemPrivateKeyParser { codeLengthBytes(0x04, bytes); } - void sequence(int... elements) throws IOException { - sequence(bytes(elements)); - } - void sequence(byte[] bytes) throws IOException { codeLengthBytes(0x30, bytes); } diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStore.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStore.java index 7eb3ce7b675..e1ed146f3cd 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStore.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStore.java @@ -48,7 +48,7 @@ public interface PemSslStore { String alias(); /** - * the password used + * The password used when * {@link KeyStore#setKeyEntry(String, java.security.Key, char[], java.security.cert.Certificate[]) * setting key entries} in the {@link KeyStore}. * @return the password diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java index 441d9cfb3f8..44c6e0fbff4 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java @@ -51,7 +51,6 @@ public class PemSslStoreBundle implements SslStoreBundle { * @param keyStoreDetails the key store details * @param trustStoreDetails the trust store details */ - @SuppressWarnings("removal") public PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails) { this(keyStoreDetails, trustStoreDetails, null); } diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreDetails.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreDetails.java index 8f97b2b55ad..2f7dfff29c1 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreDetails.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreDetails.java @@ -73,7 +73,7 @@ public record PemSslStoreDetails(String type, String alias, String password, Str * @param privateKeyPassword a password used to decrypt an encrypted private key */ public PemSslStoreDetails(String type, String certificate, String privateKey, String privateKeyPassword) { - this(type, null, null, certificate, privateKey, null); + this(type, null, null, certificate, privateKey, privateKeyPassword); } /** diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemContentTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemContentTests.java index e4318afe663..5f65058ef1f 100644 --- a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemContentTests.java +++ b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemContentTests.java @@ -154,13 +154,4 @@ class PemContentTests { assertThat(PemContent.of("test")).hasToString("test"); } - @Test - void hashCodeAndEquals() { - PemContent a = PemContent.of("1"); - PemContent b = PemContent.of("1"); - PemContent c = PemContent.of("2"); - assertThat(a.hashCode()).isEqualTo(b.hashCode()); - assertThat(a).isEqualTo(a).isEqualTo(b).isNotEqualTo(c); - } - }