pull/33648/head
Phillip Webb 2 years ago
parent 1939d23de3
commit bc6fc33498

@ -44,6 +44,7 @@ import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.ObjectUtils;
import org.springframework.util.ResourceUtils;
import org.springframework.util.StringUtils;
/**
* {@link JettyServerCustomizer} that configures SSL on the given Jetty server instance.
@ -224,10 +225,8 @@ class SslServerCustomizer implements JettyServerCustomizer {
String keystoreType = (ssl.getKeyStoreType() != null) ? ssl.getKeyStoreType() : "JKS";
String keystoreLocation = ssl.getKeyStore();
if (keystoreType.equalsIgnoreCase("PKCS11")) {
if (keystoreLocation != null && !keystoreLocation.isEmpty()) {
throw new IllegalArgumentException("Input keystore location is not valid for keystore type 'PKCS11': '"
+ keystoreLocation + "'. Must be undefined / null.");
}
Assert.state(!StringUtils.hasText(keystoreLocation),
() -> "Keystore location '" + keystoreLocation + "' must be empty or null for PKCS11 key stores");
}
else {
try {
@ -240,7 +239,7 @@ class SslServerCustomizer implements JettyServerCustomizer {
}
factory.setKeyStoreType(keystoreType);
if (ssl.getKeyStoreProvider() != null) {
factory.setKeyStoreProvider(ssl.getKeyStoreProvider());
factory.setKeyStoreProvider(this.ssl.getKeyStoreProvider());
}
}

@ -48,7 +48,9 @@ import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.server.SslConfigurationValidator;
import org.springframework.boot.web.server.SslStoreProvider;
import org.springframework.boot.web.server.WebServerException;
import org.springframework.util.Assert;
import org.springframework.util.ResourceUtils;
import org.springframework.util.StringUtils;
/**
* {@link NettyServerCustomizer} that configures SSL for the given Reactor Netty server
@ -169,25 +171,26 @@ public class SslServerCustomizer implements NettyServerCustomizer {
return loadStore(type, provider, resource, password);
}
private KeyStore loadStore(String type, String provider, String resource, String password) throws Exception {
type = (type != null) ? type : "JKS";
KeyStore store = (provider != null) ? KeyStore.getInstance(type, provider) : KeyStore.getInstance(type);
if (type.equalsIgnoreCase("PKCS11")) {
if (resource != null && !resource.isEmpty()) {
throw new IllegalArgumentException("Input keystore location is not valid for keystore type 'PKCS11': '"
+ resource + "'. Must be undefined / null.");
}
store.load(null, (password != null) ? password.toCharArray() : null);
private KeyStore loadStore(String keystoreType, String provider, String keystoreLocation, String password)
throws Exception {
keystoreType = (keystoreType != null) ? keystoreType : "JKS";
char[] passwordChars = (password != null) ? password.toCharArray() : null;
KeyStore store = (provider != null) ? KeyStore.getInstance(keystoreType, provider)
: KeyStore.getInstance(keystoreType);
if (keystoreType.equalsIgnoreCase("PKCS11")) {
Assert.state(!StringUtils.hasText(keystoreLocation),
() -> "Keystore location '" + keystoreLocation + "' must be empty or null for PKCS11 key stores");
store.load(null, passwordChars);
}
else {
try {
URL url = ResourceUtils.getURL(resource);
URL url = ResourceUtils.getURL(keystoreLocation);
try (InputStream stream = url.openStream()) {
store.load(stream, (password != null) ? password.toCharArray() : null);
store.load(stream, passwordChars);
}
}
catch (Exception ex) {
throw new WebServerException("Could not load key store '" + resource + "'", ex);
throw new WebServerException("Could not load key store '" + keystoreLocation + "'", ex);
}
}
return store;

@ -143,10 +143,8 @@ class SslConnectorCustomizer implements TomcatConnectorCustomizer {
String keystoreType = (ssl.getKeyStoreType() != null) ? ssl.getKeyStoreType() : "JKS";
String keystoreLocation = ssl.getKeyStore();
if (keystoreType.equalsIgnoreCase("PKCS11")) {
if (keystoreLocation != null && !keystoreLocation.isEmpty()) {
throw new IllegalArgumentException("Input keystore location is not valid for keystore type 'PKCS11': '"
+ keystoreLocation + "'. Must be undefined / null.");
}
Assert.state(!StringUtils.hasText(keystoreLocation),
() -> "Keystore location '" + keystoreLocation + "' must be empty or null for PKCS11 key stores");
}
else {
try {

@ -17,8 +17,6 @@
package org.springframework.boot.web.embedded.jetty;
import java.net.InetSocketAddress;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
import java.util.List;
@ -29,20 +27,19 @@ import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.condition.OS;
import org.springframework.boot.testsupport.junit.DisabledOnOs;
import org.springframework.boot.web.embedded.netty.MockPkcs11SecurityProvider;
import org.springframework.boot.web.embedded.test.MockPkcs11Security;
import org.springframework.boot.web.embedded.test.MockPkcs11SecurityProvider;
import org.springframework.boot.web.server.Http2;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.server.WebServerException;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
import static org.assertj.core.api.Assertions.assertThatNoException;
/**
@ -51,25 +48,9 @@ import static org.assertj.core.api.Assertions.assertThatNoException;
* @author Andy Wilkinson
* @author Cyril Dangerville
*/
@MockPkcs11Security
class SslServerCustomizerTests {
private static final Provider PKCS11_PROVIDER = new MockPkcs11SecurityProvider();
@BeforeAll
static void beforeAllTests() {
/*
* Add the mock Java security provider for PKCS#11-related unit tests.
*
*/
Security.addProvider(PKCS11_PROVIDER);
}
@AfterAll
static void afterAllTests() {
// Remove the provider previously added in setup()
Security.removeProvider(PKCS11_PROVIDER.getName());
}
@Test
@SuppressWarnings("rawtypes")
void whenHttp2IsNotEnabledServerConnectorHasSslAndHttpConnectionFactories() {
@ -107,11 +88,8 @@ class SslServerCustomizerTests {
assertThat(((ALPNServerConnectionFactory) factories.get(1)).getDefaultProtocol()).isNull();
}
/**
* Null/undefined keystore is invalid unless keystore type is PKCS11.
*/
@Test
void configureSslWhenSslIsEnabledWithNoKeyStoreAndNotPkcs11ThrowsWebServerException() {
void configureSslWhenSslIsEnabledWithNoKeyStoreAndNotPkcs11ThrowsException() {
Ssl ssl = new Ssl();
SslServerCustomizer customizer = new SslServerCustomizer(null, ssl, null, null);
assertThatExceptionOfType(Exception.class)
@ -122,30 +100,26 @@ class SslServerCustomizerTests {
});
}
/**
* No keystore path should be defined if keystore type is PKCS#11.
*/
@Test
void configureSslWhenSslIsEnabledWithPkcs11AndKeyStoreThrowsIllegalArgumentException() {
void configureSslWhenSslIsEnabledWithPkcs11AndKeyStoreThrowsException() {
Ssl ssl = new Ssl();
ssl.setKeyStoreType("PKCS11");
ssl.setKeyStoreProvider(PKCS11_PROVIDER.getName());
ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
ssl.setKeyStore("src/test/resources/test.jks");
ssl.setKeyPassword("password");
SslServerCustomizer customizer = new SslServerCustomizer(null, ssl, null, null);
assertThatIllegalArgumentException()
assertThatIllegalStateException()
.isThrownBy(() -> customizer.configureSsl(new SslContextFactory.Server(), ssl, null))
.withMessageContaining("Input keystore location is not valid for keystore type 'PKCS11'");
.withMessageContaining("must be empty or null for PKCS11 key stores");
}
@Test
void customizeWhenSslIsEnabledWithPkcs11AndKeyStoreProvider() {
Ssl ssl = new Ssl();
ssl.setKeyStoreType("PKCS11");
ssl.setKeyStoreProvider(PKCS11_PROVIDER.getName());
ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
ssl.setKeyStorePassword("1234");
SslServerCustomizer customizer = new SslServerCustomizer(null, ssl, null, null);
// Loading the KeyManagerFactory should be successful
assertThatNoException().isThrownBy(() -> customizer.configureSsl(new SslContextFactory.Server(), ssl, null));
}

@ -1,48 +0,0 @@
/*
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.boot.web.embedded.netty;
import java.security.KeyStoreSpi;
import java.security.Provider;
/**
* Mock PKCS#11 Security Provider for testing purposes only (e.g. SslServerCustomizerTests
* class)
*
* @author Cyril Dangerville
*/
public class MockPkcs11SecurityProvider extends Provider {
private static final String DEFAULT_PROVIDER_NAME = "Mock-PKCS11";
private static final double VERSION = 0.1;
private static final String DESCRIPTION = "Mock PKCS11 Provider";
/**
* Create Security Provider named {@value #DEFAULT_PROVIDER_NAME}, version
* {@value #VERSION} and providing PKCS11 KeyStores with {@link MockKeyStoreSpi} as
* {@link KeyStoreSpi} implementation.
*/
public MockPkcs11SecurityProvider() {
super(DEFAULT_PROVIDER_NAME, VERSION, DESCRIPTION);
putService(new Service(this, "KeyStore", "PKCS11",
"org.springframework.boot.web.embedded.netty.MockKeyStoreSpi", null, null));
}
}

@ -17,13 +17,11 @@
package org.springframework.boot.web.embedded.netty;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.Security;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.springframework.boot.web.embedded.test.MockPkcs11Security;
import org.springframework.boot.web.embedded.test.MockPkcs11SecurityProvider;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.server.WebServerException;
@ -38,29 +36,9 @@ import static org.assertj.core.api.Assertions.assertThatNoException;
* @author Cyril Dangerville
*/
@SuppressWarnings("deprecation")
@MockPkcs11Security
class SslServerCustomizerTests {
private static final Provider PKCS11_PROVIDER = new MockPkcs11SecurityProvider();
@BeforeAll
static void setup() {
/*
* Add the mock Java security provider for PKCS#11-related unit tests.
*
* For an integration test with an actual PKCS#11 library - SoftHSM - properly
* installed and configured on the system (inside a container), used via Java
* built-in SunPKCS11 provider, see the 'spring-boot-smoke-test-webflux-ssl'
* project in 'spring-boot-tests/spring-boot-smoke-tests' folder.
*/
Security.addProvider(PKCS11_PROVIDER);
}
@AfterAll
static void shutdown() {
// Remove the provider previously added in setup()
Security.removeProvider(PKCS11_PROVIDER.getName());
}
@Test
void keyStoreProviderIsUsedWhenCreatingKeyStore() {
Ssl ssl = new Ssl();
@ -85,41 +63,34 @@ class SslServerCustomizerTests {
.withMessageContaining("com.example.TrustStoreProvider");
}
/**
* Null/undefined keystore is not valid unless keystore type is PKCS11.
*/
@Test
void getKeyManagerFactoryWhenSslIsEnabledWithNoKeyStoreAndNotPkcs11ThrowsWebServerException() {
void getKeyManagerFactoryWhenSslIsEnabledWithNoKeyStoreAndNotPkcs11ThrowsException() {
Ssl ssl = new Ssl();
SslServerCustomizer customizer = new SslServerCustomizer(ssl, null, null);
assertThatIllegalStateException().isThrownBy(() -> customizer.getKeyManagerFactory(ssl, null))
.withCauseInstanceOf(WebServerException.class).withMessageContaining("Could not load key store 'null'");
}
/**
* No keystore path should be defined if keystore type is PKCS#11.
*/
@Test
void getKeyManagerFactoryWhenSslIsEnabledWithPkcs11AndKeyStoreThrowsIllegalArgumentException() {
void getKeyManagerFactoryWhenSslIsEnabledWithPkcs11AndKeyStoreThrowsException() {
Ssl ssl = new Ssl();
ssl.setKeyStoreType("PKCS11");
ssl.setKeyStoreProvider(PKCS11_PROVIDER.getName());
ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
ssl.setKeyStore("src/test/resources/test.jks");
ssl.setKeyPassword("password");
SslServerCustomizer customizer = new SslServerCustomizer(ssl, null, null);
assertThatIllegalStateException().isThrownBy(() -> customizer.getKeyManagerFactory(ssl, null))
.withCauseInstanceOf(IllegalArgumentException.class)
.withMessageContaining("Input keystore location is not valid for keystore type 'PKCS11'");
.withCauseInstanceOf(IllegalStateException.class)
.withMessageContaining("must be empty or null for PKCS11 key stores");
}
@Test
void getKeyManagerFactoryWhenSslIsEnabledWithPkcs11AndKeyStoreProvider() {
Ssl ssl = new Ssl();
ssl.setKeyStoreType("PKCS11");
ssl.setKeyStoreProvider(PKCS11_PROVIDER.getName());
ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
ssl.setKeyStorePassword("1234");
SslServerCustomizer customizer = new SslServerCustomizer(ssl, null, null);
// Loading the KeyManagerFactory should be successful
assertThatNoException().isThrownBy(() -> customizer.getKeyManagerFactory(ssl, null));
}

@ -14,7 +14,7 @@
* limitations under the License.
*/
package org.springframework.boot.web.embedded.netty;
package org.springframework.boot.web.embedded.test;
import java.io.InputStream;
import java.io.OutputStream;
@ -31,7 +31,7 @@ import java.util.HashMap;
import java.util.Map;
/**
* Mock Security Provider for testing purposes only (e.g. SslServerCustomizerTests class)
* Mock Security Provider for testing purposes.
*
* @author Cyril Dangerville
*/
@ -45,7 +45,7 @@ public class MockKeyStoreSpi extends KeyStoreSpi {
KEYGEN.initialize(2048);
}
catch (NoSuchAlgorithmException ex) {
throw new RuntimeException(ex);
throw new IllegalStateException(ex);
}
}
@ -99,8 +99,6 @@ public class MockKeyStoreSpi extends KeyStoreSpi {
@Override
public boolean engineContainsAlias(String alias) {
// contains any required alias, for testing purposes
// Add alias to aliases list on the fly
this.aliases.put(alias, KEYGEN.generateKeyPair());
return true;
}
@ -112,7 +110,6 @@ public class MockKeyStoreSpi extends KeyStoreSpi {
@Override
public boolean engineIsKeyEntry(String alias) {
// Handle all keystore entries as key entries
return this.aliases.containsKey(alias);
}
@ -133,7 +130,6 @@ public class MockKeyStoreSpi extends KeyStoreSpi {
@Override
public void engineLoad(InputStream stream, char[] password) {
// Nothing to do, this is a mock keystore implementation, for testing only.
}
}

@ -0,0 +1,34 @@
/*
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.boot.web.embedded.test;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import org.junit.jupiter.api.extension.ExtendWith;
/**
* JUnit {@link ExtendWith @ExtendWith} annotation to support
* {@link MockPkcs11SecurityProvider}.
*
* @author Phillip Webb
*/
@ExtendWith(MockPkcs11SecurityProviderExtension.class)
@Retention(RetentionPolicy.RUNTIME)
public @interface MockPkcs11Security {
}

@ -0,0 +1,40 @@
/*
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.boot.web.embedded.test;
import java.security.Provider;
/**
* Mock PKCS#11 Security Provider for testing purposes.
*
* @author Cyril Dangerville
*/
public class MockPkcs11SecurityProvider extends Provider {
/**
* The name of the mock provider.
*/
public static final String NAME = "Mock-PKCS11";
static final MockPkcs11SecurityProvider INSTANCE = new MockPkcs11SecurityProvider();
MockPkcs11SecurityProvider() {
super(NAME, 0.1, "Mock PKCS11 Provider");
putService(new Service(this, "KeyStore", "PKCS11", MockKeyStoreSpi.class.getName(), null, null));
}
}

@ -0,0 +1,44 @@
/*
* Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.boot.web.embedded.test;
import java.security.Security;
import org.junit.jupiter.api.extension.AfterAllCallback;
import org.junit.jupiter.api.extension.BeforeAllCallback;
import org.junit.jupiter.api.extension.Extension;
import org.junit.jupiter.api.extension.ExtensionContext;
/**
* {@link Extension} to support {@link MockPkcs11SecurityProvider}.
*
* @author Phillip Webb
* @see MockPkcs11Security
*/
class MockPkcs11SecurityProviderExtension implements BeforeAllCallback, AfterAllCallback {
@Override
public void beforeAll(ExtensionContext context) throws Exception {
Security.addProvider(MockPkcs11SecurityProvider.INSTANCE);
}
@Override
public void afterAll(ExtensionContext context) throws Exception {
Security.removeProvider(MockPkcs11SecurityProvider.NAME);
}
}

@ -21,8 +21,6 @@ import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateException;
import java.util.Set;
@ -31,9 +29,7 @@ import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
@ -41,7 +37,8 @@ import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.boot.testsupport.system.CapturedOutput;
import org.springframework.boot.testsupport.system.OutputCaptureExtension;
import org.springframework.boot.testsupport.web.servlet.DirtiesUrlFactories;
import org.springframework.boot.web.embedded.netty.MockPkcs11SecurityProvider;
import org.springframework.boot.web.embedded.test.MockPkcs11Security;
import org.springframework.boot.web.embedded.test.MockPkcs11SecurityProvider;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.server.SslStoreProvider;
import org.springframework.boot.web.server.WebServerException;
@ -50,7 +47,7 @@ import org.springframework.core.io.Resource;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
import static org.assertj.core.api.Assertions.assertThatNoException;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
@ -65,29 +62,13 @@ import static org.mockito.Mockito.mock;
*/
@ExtendWith(OutputCaptureExtension.class)
@DirtiesUrlFactories
@MockPkcs11Security
class SslConnectorCustomizerTests {
private static final Provider PKCS11_PROVIDER = new MockPkcs11SecurityProvider();
private Tomcat tomcat;
private Connector connector;
@BeforeAll
static void beforeAllTests() {
/*
* Add the mock Java security provider for PKCS#11-related unit tests.
*
*/
Security.addProvider(PKCS11_PROVIDER);
}
@AfterAll
static void afterAllTests() {
// Remove the provider previously added in setup()
Security.removeProvider(PKCS11_PROVIDER.getName());
}
@BeforeEach
void setup() {
this.tomcat = new Tomcat();
@ -201,39 +182,32 @@ class SslConnectorCustomizerTests {
assertThat(output).doesNotContain("Password verification failed");
}
/**
* Null/undefined keystore is invalid unless keystore type is PKCS11.
*/
@Test
void customizeWhenSslIsEnabledWithNoKeyStoreAndNotPkcs11ThrowsWebServerException() {
void customizeWhenSslIsEnabledWithNoKeyStoreAndNotPkcs11ThrowsException() {
assertThatExceptionOfType(WebServerException.class)
.isThrownBy(() -> new SslConnectorCustomizer(new Ssl(), null).customize(this.tomcat.getConnector()))
.withMessageContaining("Could not load key store 'null'");
}
/**
* No keystore path should be defined if keystore type is PKCS#11.
*/
@Test
void customizeWhenSslIsEnabledWithPkcs11AndKeyStoreThrowsIllegalArgumentException() {
void customizeWhenSslIsEnabledWithPkcs11AndKeyStoreThrowsException() {
Ssl ssl = new Ssl();
ssl.setKeyStoreType("PKCS11");
ssl.setKeyStoreProvider(PKCS11_PROVIDER.getName());
ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
ssl.setKeyStore("src/test/resources/test.jks");
ssl.setKeyPassword("password");
SslConnectorCustomizer customizer = new SslConnectorCustomizer(ssl, null);
assertThatIllegalArgumentException().isThrownBy(() -> customizer.customize(this.tomcat.getConnector()))
.withMessageContaining("Input keystore location is not valid for keystore type 'PKCS11'");
assertThatIllegalStateException().isThrownBy(() -> customizer.customize(this.tomcat.getConnector()))
.withMessageContaining("must be empty or null for PKCS11 key stores");
}
@Test
void customizeWhenSslIsEnabledWithPkcs11AndKeyStoreProvider() {
Ssl ssl = new Ssl();
ssl.setKeyStoreType("PKCS11");
ssl.setKeyStoreProvider(PKCS11_PROVIDER.getName());
ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
ssl.setKeyStorePassword("1234");
SslConnectorCustomizer customizer = new SslConnectorCustomizer(ssl, null);
// Loading the KeyManagerFactory should be successful
assertThatNoException().isThrownBy(() -> customizer.customize(this.tomcat.getConnector()));
}

@ -18,16 +18,13 @@ package org.springframework.boot.web.embedded.undertow;
import java.net.InetAddress;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.Security;
import javax.net.ssl.KeyManager;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.springframework.boot.web.embedded.netty.MockPkcs11SecurityProvider;
import org.springframework.boot.web.embedded.test.MockPkcs11Security;
import org.springframework.boot.web.embedded.test.MockPkcs11SecurityProvider;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.server.WebServerException;
import org.springframework.test.util.ReflectionTestUtils;
@ -43,25 +40,9 @@ import static org.assertj.core.api.Assertions.assertThatNoException;
* @author Raheela Aslam
* @author Cyril Dangerville
*/
@MockPkcs11Security
class SslBuilderCustomizerTests {
private static final Provider PKCS11_PROVIDER = new MockPkcs11SecurityProvider();
@BeforeAll
static void beforeAllTests() {
/*
* Add the mock Java security provider for PKCS#11-related unit tests.
*
*/
Security.addProvider(PKCS11_PROVIDER);
}
@AfterAll
static void afterAllTests() {
// Remove the provider previously added in setup()
Security.removeProvider(PKCS11_PROVIDER.getName());
}
@Test
void getKeyManagersWhenAliasIsNullShouldNotDecorate() throws Exception {
Ssl ssl = new Ssl();
@ -100,11 +81,8 @@ class SslBuilderCustomizerTests {
.withMessageContaining("com.example.TrustStoreProvider");
}
/**
* Null/undefined keystore is invalid unless keystore type is PKCS11.
*/
@Test
void getKeyManagersWhenSslIsEnabledWithNoKeyStoreAndNotPkcs11ThrowsWebServerException() throws Exception {
void getKeyManagersWhenSslIsEnabledWithNoKeyStoreAndNotPkcs11ThrowsException() throws Exception {
Ssl ssl = new Ssl();
SslBuilderCustomizer customizer = new SslBuilderCustomizer(8080, InetAddress.getLocalHost(), ssl, null);
assertThatIllegalStateException()
@ -112,14 +90,11 @@ class SslBuilderCustomizerTests {
.withCauseInstanceOf(WebServerException.class).withMessageContaining("Could not load key store 'null'");
}
/**
* No keystore path should be defined if keystore type is PKCS#11.
*/
@Test
void configureSslWhenSslIsEnabledWithPkcs11AndKeyStoreThrowsIllegalArgumentException() throws Exception {
void configureSslWhenSslIsEnabledWithPkcs11AndKeyStoreThrowsException() throws Exception {
Ssl ssl = new Ssl();
ssl.setKeyStoreType("PKCS11");
ssl.setKeyStoreProvider(PKCS11_PROVIDER.getName());
ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
ssl.setKeyStore("src/test/resources/test.jks");
ssl.setKeyPassword("password");
SslBuilderCustomizer customizer = new SslBuilderCustomizer(8080, InetAddress.getLocalHost(), ssl, null);
@ -133,10 +108,9 @@ class SslBuilderCustomizerTests {
void customizeWhenSslIsEnabledWithPkcs11AndKeyStoreProvider() throws Exception {
Ssl ssl = new Ssl();
ssl.setKeyStoreType("PKCS11");
ssl.setKeyStoreProvider(PKCS11_PROVIDER.getName());
ssl.setKeyStoreProvider(MockPkcs11SecurityProvider.NAME);
ssl.setKeyStorePassword("1234");
SslBuilderCustomizer customizer = new SslBuilderCustomizer(8080, InetAddress.getLocalHost(), ssl, null);
// Loading the KeyManagerFactory should be successful
assertThatNoException()
.isThrownBy(() -> ReflectionTestUtils.invokeMethod(customizer, "getKeyManagers", ssl, null));
}

Loading…
Cancel
Save