From e75d45ca456e9f83d9eb9ab2fb00fca2e403755b Mon Sep 17 00:00:00 2001 From: Ian Chan Date: Mon, 7 May 2018 00:10:06 +0100 Subject: [PATCH 1/2] Use empty trust-store password if SSL store provider present For Tomcat, if an SslStoreProvider is configured, `SslStoreProviderUrlStreamHandlerFactory` stores the trust-store with an empty password. Previously, if a password was supplied using the ssl.trust-store-password property, that would be the password used to load the trust-store and the connector would warn with "Password verification failed" message. Fixes gh-12688 --- .../boot/web/embedded/tomcat/SslConnectorCustomizer.java | 1 + .../boot/web/embedded/tomcat/SslConnectorCustomizerTests.java | 1 + 2 files changed, 2 insertions(+) diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java index e3f9703fbf..3e10360b05 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java @@ -118,6 +118,7 @@ class SslConnectorCustomizer implements TomcatConnectorCustomizer { SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL); } if (sslStoreProvider.getTrustStore() != null) { + protocol.setTruststorePass(""); protocol.setTruststoreFile( SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL); } diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java index a81747a3a2..caef605e30 100644 --- a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java +++ b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java @@ -170,6 +170,7 @@ public class SslConnectorCustomizerTests { Ssl ssl = new Ssl(); ssl.setKeyPassword("password"); ssl.setKeyStorePassword("secret"); + ssl.setTrustStorePassword("trustStoreSecret"); SslStoreProvider sslStoreProvider = mock(SslStoreProvider.class); given(sslStoreProvider.getTrustStore()).willReturn(loadStore()); given(sslStoreProvider.getKeyStore()).willReturn(loadStore()); From ad1283195a9b293ce1dde3ad4503e2e89766a358 Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Tue, 29 May 2018 15:06:39 -0700 Subject: [PATCH 2/2] Fix test in "Truststore password if SSLstoreprovider present" See gh-13088 --- .../web/embedded/tomcat/SslConnectorCustomizerTests.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java index caef605e30..286f9417b3 100644 --- a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java +++ b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java @@ -31,8 +31,10 @@ import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory; import org.apache.tomcat.util.net.SSLHostConfig; import org.junit.After; import org.junit.Before; +import org.junit.Rule; import org.junit.Test; +import org.springframework.boot.testsupport.rule.OutputCapture; import org.springframework.boot.web.server.Ssl; import org.springframework.boot.web.server.SslStoreProvider; import org.springframework.core.io.ClassPathResource; @@ -54,6 +56,9 @@ public class SslConnectorCustomizerTests { private Connector connector; + @Rule + public OutputCapture output = new OutputCapture(); + @Before public void setup() { this.tomcat = new Tomcat(); @@ -64,6 +69,7 @@ public class SslConnectorCustomizerTests { @After public void stop() throws Exception { + System.clearProperty("javax.net.ssl.trustStorePassword"); ReflectionTestUtils.setField(TomcatURLStreamHandlerFactory.class, "instance", null); ReflectionTestUtils.setField(URL.class, "factory", null); @@ -167,10 +173,10 @@ public class SslConnectorCustomizerTests { @Test public void customizeWhenSslStoreProviderPresentShouldIgnorePasswordFromSsl() throws Exception { + System.setProperty("javax.net.ssl.trustStorePassword", "trustStoreSecret"); Ssl ssl = new Ssl(); ssl.setKeyPassword("password"); ssl.setKeyStorePassword("secret"); - ssl.setTrustStorePassword("trustStoreSecret"); SslStoreProvider sslStoreProvider = mock(SslStoreProvider.class); given(sslStoreProvider.getTrustStore()).willReturn(loadStore()); given(sslStoreProvider.getKeyStore()).willReturn(loadStore()); @@ -180,6 +186,7 @@ public class SslConnectorCustomizerTests { customizer.customize(connector); this.tomcat.start(); assertThat(connector.getState()).isEqualTo(LifecycleState.STARTED); + assertThat(this.output.toString()).doesNotContain("Password verification failed"); } private KeyStore loadStore() throws KeyStoreException, IOException,