Merge branch '3.1.x'

Author: scottfrederick

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PemSslBundleProperties.java

@@ -66,6 +66,11 @@ public static class Store {
 		 */
 		String privateKey;
 
+		/**
+		 * Password used to decrypt an encrypted private key.
+		 */
+		String privateKeyPassword;
+
 		public String getType() {
 			return this.type;
 		}
@@ -90,6 +95,14 @@ public void setPrivateKey(String privateKey) {
 			this.privateKey = privateKey;
 		}
 
+		public String getPrivateKeyPassword() {
+			return this.privateKeyPassword;
+		}
+
+		public void setPrivateKeyPassword(String privateKeyPassword) {
+			this.privateKeyPassword = privateKeyPassword;
+		}
+
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java

@@ -113,7 +113,8 @@ private static SslStoreBundle asSslStoreBundle(PemSslBundleProperties properties
 	}
 
 	private static PemSslStoreDetails asStoreDetails(PemSslBundleProperties.Store properties) {
-		return new PemSslStoreDetails(properties.getType(), properties.getCertificate(), properties.getPrivateKey());
+		return new PemSslStoreDetails(properties.getType(), properties.getCertificate(), properties.getPrivateKey(),
+				properties.getPrivateKeyPassword());
 	}
 
 	private static SslStoreBundle asSslStoreBundle(JksSslBundleProperties properties) {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.ssl;
+
+import java.util.Set;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.boot.ssl.SslBundle;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link PropertiesSslBundle}.
+ *
+ * @author Scott Frederick
+ */
+class PropertiesSslBundleTests {
+
+	@Test
+	void pemPropertiesAreMappedToSslBundle() {
+		PemSslBundleProperties properties = new PemSslBundleProperties();
+		properties.getKey().setAlias("alias");
+		properties.getKey().setPassword("secret");
+		properties.getOptions().setCiphers(Set.of("cipher1", "cipher2", "cipher3"));
+		properties.getOptions().setEnabledProtocols(Set.of("protocol1", "protocol2"));
+		properties.getKeystore().setCertificate("cert1.pem");
+		properties.getKeystore().setPrivateKey("key1.pem");
+		properties.getKeystore().setPrivateKeyPassword("keysecret1");
+		properties.getKeystore().setType("PKCS12");
+		properties.getTruststore().setCertificate("cert2.pem");
+		properties.getTruststore().setPrivateKey("key2.pem");
+		properties.getTruststore().setPrivateKeyPassword("keysecret2");
+		properties.getTruststore().setType("JKS");
+		SslBundle sslBundle = PropertiesSslBundle.get(properties);
+		assertThat(sslBundle.getKey().getAlias()).isEqualTo("alias");
+		assertThat(sslBundle.getKey().getPassword()).isEqualTo("secret");
+		assertThat(sslBundle.getOptions().getCiphers()).containsExactlyInAnyOrder("cipher1", "cipher2", "cipher3");
+		assertThat(sslBundle.getOptions().getEnabledProtocols()).containsExactlyInAnyOrder("protocol1", "protocol2");
+		assertThat(sslBundle.getStores()).isNotNull();
+		assertThat(sslBundle.getStores()).extracting("keyStoreDetails")
+			.extracting("certificate", "privateKey", "privateKeyPassword", "type")
+			.containsExactly("cert1.pem", "key1.pem", "keysecret1", "PKCS12");
+		assertThat(sslBundle.getStores()).extracting("trustStoreDetails")
+			.extracting("certificate", "privateKey", "privateKeyPassword", "type")
+			.containsExactly("cert2.pem", "key2.pem", "keysecret2", "JKS");
+	}
+
+	@Test
+	void jksPropertiesAreMappedToSslBundle() {
+		JksSslBundleProperties properties = new JksSslBundleProperties();
+		properties.getKey().setAlias("alias");
+		properties.getKey().setPassword("secret");
+		properties.getOptions().setCiphers(Set.of("cipher1", "cipher2", "cipher3"));
+		properties.getOptions().setEnabledProtocols(Set.of("protocol1", "protocol2"));
+		properties.getKeystore().setLocation("cert1.p12");
+		properties.getKeystore().setPassword("secret1");
+		properties.getKeystore().setProvider("provider1");
+		properties.getKeystore().setType("JKS");
+		properties.getTruststore().setLocation("cert2.jks");
+		properties.getTruststore().setPassword("secret2");
+		properties.getTruststore().setProvider("provider2");
+		properties.getTruststore().setType("PKCS12");
+		SslBundle sslBundle = PropertiesSslBundle.get(properties);
+		assertThat(sslBundle.getKey().getAlias()).isEqualTo("alias");
+		assertThat(sslBundle.getKey().getPassword()).isEqualTo("secret");
+		assertThat(sslBundle.getOptions().getCiphers()).containsExactlyInAnyOrder("cipher1", "cipher2", "cipher3");
+		assertThat(sslBundle.getOptions().getEnabledProtocols()).containsExactlyInAnyOrder("protocol1", "protocol2");
+		assertThat(sslBundle.getStores()).isNotNull();
+		assertThat(sslBundle.getStores()).extracting("keyStoreDetails")
+			.extracting("location", "password", "provider", "type")
+			.containsExactly("cert1.p12", "secret1", "provider1", "JKS");
+		assertThat(sslBundle.getStores()).extracting("trustStoreDetails")
+			.extracting("location", "password", "provider", "type")
+			.containsExactly("cert2.jks", "secret2", "provider2", "PKCS12");
+	}
+
+}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java

@@ -18,6 +18,7 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.security.AlgorithmParameters;
 import java.security.GeneralSecurityException;
 import java.security.KeyFactory;
 import java.security.PrivateKey;
@@ -27,10 +28,18 @@
 import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
-import java.util.function.Function;
+import java.util.function.BiFunction;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.crypto.Cipher;
+import javax.crypto.EncryptedPrivateKeyInfo;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+
+import org.springframework.util.Assert;
+
 /**
  * Parser for PKCS private key files in PEM format.
  *
@@ -48,18 +57,27 @@ final class PemPrivateKeyParser {
 
 	private static final String PKCS8_FOOTER = "-+END\\s+PRIVATE\\s+KEY[^-]*-+";
 
+	private static final String PKCS8_ENCRYPTED_HEADER = "-+BEGIN\\s+ENCRYPTED\\s+PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+";
+
+	private static final String PKCS8_ENCRYPTED_FOOTER = "-+END\\s+ENCRYPTED\\s+PRIVATE\\s+KEY[^-]*-+";
+
 	private static final String EC_HEADER = "-+BEGIN\\s+EC\\s+PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+";
 
 	private static final String EC_FOOTER = "-+END\\s+EC\\s+PRIVATE\\s+KEY[^-]*-+";
 
 	private static final String BASE64_TEXT = "([a-z0-9+/=\\r\\n]+)";
 
+	public static final int BASE64_TEXT_GROUP = 1;
+
 	private static final List<PemParser> PEM_PARSERS;
 	static {
 		List<PemParser> parsers = new ArrayList<>();
 		parsers.add(new PemParser(PKCS1_HEADER, PKCS1_FOOTER, PemPrivateKeyParser::createKeySpecForPkcs1, "RSA"));
 		parsers.add(new PemParser(EC_HEADER, EC_FOOTER, PemPrivateKeyParser::createKeySpecForEc, "EC"));
-		parsers.add(new PemParser(PKCS8_HEADER, PKCS8_FOOTER, PKCS8EncodedKeySpec::new, "RSA", "EC", "DSA", "Ed25519"));
+		parsers.add(new PemParser(PKCS8_HEADER, PKCS8_FOOTER, PemPrivateKeyParser::createKeySpecForPkcs8, "RSA", "EC",
+				"DSA", "Ed25519"));
+		parsers.add(new PemParser(PKCS8_ENCRYPTED_HEADER, PKCS8_ENCRYPTED_FOOTER,
+				PemPrivateKeyParser::createKeySpecForPkcs8Encrypted, "RSA", "EC", "DSA", "Ed25519"));
 		PEM_PARSERS = Collections.unmodifiableList(parsers);
 	}
 
@@ -81,11 +99,11 @@ final class PemPrivateKeyParser {
 	private PemPrivateKeyParser() {
 	}
 
-	private static PKCS8EncodedKeySpec createKeySpecForPkcs1(byte[] bytes) {
+	private static PKCS8EncodedKeySpec createKeySpecForPkcs1(byte[] bytes, String password) {
 		return createKeySpecForAlgorithm(bytes, RSA_ALGORITHM, null);
 	}
 
-	private static PKCS8EncodedKeySpec createKeySpecForEc(byte[] bytes) {
+	private static PKCS8EncodedKeySpec createKeySpecForEc(byte[] bytes, String password) {
 		return createKeySpecForAlgorithm(bytes, EC_ALGORITHM, EC_PARAMETERS);
 	}
 
@@ -106,18 +124,37 @@ private static PKCS8EncodedKeySpec createKeySpecForAlgorithm(byte[] bytes, int[]
 		}
 	}
 
+	private static PKCS8EncodedKeySpec createKeySpecForPkcs8(byte[] bytes, String password) {
+		return new PKCS8EncodedKeySpec(bytes);
+	}
+
+	private static PKCS8EncodedKeySpec createKeySpecForPkcs8Encrypted(byte[] bytes, String password) {
+		return Pkcs8PrivateKeyDecryptor.decrypt(bytes, password);
+	}
+
 	/**
 	 * Parse a private key from the specified string.
 	 * @param key the private key to parse
 	 * @return the parsed private key
 	 */
 	static PrivateKey parse(String key) {
+		return parse(key, null);
+	}
+
+	/**
+	 * Parse a private key from the specified string, using the provided password for
+	 * decryption if necessary.
+	 * @param key the private key to parse
+	 * @param password the password used to decrypt an encrypted private key
+	 * @return the parsed private key
+	 */
+	static PrivateKey parse(String key, String password) {
 		if (key == null) {
 			return null;
 		}
 		try {
 			for (PemParser pemParser : PEM_PARSERS) {
-				PrivateKey privateKey = pemParser.parse(key);
+				PrivateKey privateKey = pemParser.parse(key, password);
 				if (privateKey != null) {
 					return privateKey;
 				}
@@ -136,30 +173,30 @@ private static class PemParser {
 
 		private final Pattern pattern;
 
-		private final Function<byte[], PKCS8EncodedKeySpec> keySpecFactory;
+		private final BiFunction<byte[], String, PKCS8EncodedKeySpec> keySpecFactory;
 
 		private final String[] algorithms;
 
-		PemParser(String header, String footer, Function<byte[], PKCS8EncodedKeySpec> keySpecFactory,
+		PemParser(String header, String footer, BiFunction<byte[], String, PKCS8EncodedKeySpec> keySpecFactory,
 				String... algorithms) {
 			this.pattern = Pattern.compile(header + BASE64_TEXT + footer, Pattern.CASE_INSENSITIVE);
-			this.algorithms = algorithms;
 			this.keySpecFactory = keySpecFactory;
+			this.algorithms = algorithms;
 		}
 
-		PrivateKey parse(String text) {
+		PrivateKey parse(String text, String password) {
 			Matcher matcher = this.pattern.matcher(text);
-			return (!matcher.find()) ? null : parse(decodeBase64(matcher.group(1)));
+			return (!matcher.find()) ? null : parse(decodeBase64(matcher.group(BASE64_TEXT_GROUP)), password);
 		}
 
 		private static byte[] decodeBase64(String content) {
 			byte[] contentBytes = content.replaceAll("\r", "").replaceAll("\n", "").getBytes();
 			return Base64.getDecoder().decode(contentBytes);
 		}
 
-		private PrivateKey parse(byte[] bytes) {
+		private PrivateKey parse(byte[] bytes, String password) {
 			try {
-				PKCS8EncodedKeySpec keySpec = this.keySpecFactory.apply(bytes);
+				PKCS8EncodedKeySpec keySpec = this.keySpecFactory.apply(bytes, password);
 				for (String algorithm : this.algorithms) {
 					KeyFactory keyFactory = KeyFactory.getInstance(algorithm);
 					try {
@@ -251,4 +288,34 @@ byte[] toByteArray() {
 
 	}
 
+	static class Pkcs8PrivateKeyDecryptor {
+
+		public static final String PBES2_ALGORITHM = "PBES2";
+
+		static PKCS8EncodedKeySpec decrypt(byte[] bytes, String password) {
+			Assert.notNull(password, "Password is required for an encrypted private key");
+			try {
+				EncryptedPrivateKeyInfo keyInfo = new EncryptedPrivateKeyInfo(bytes);
+				AlgorithmParameters algorithmParameters = keyInfo.getAlgParameters();
+				String encryptionAlgorithm = getEncryptionAlgorithm(algorithmParameters, keyInfo.getAlgName());
+				SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(encryptionAlgorithm);
+				SecretKey key = keyFactory.generateSecret(new PBEKeySpec(password.toCharArray()));
+				Cipher cipher = Cipher.getInstance(encryptionAlgorithm);
+				cipher.init(Cipher.DECRYPT_MODE, key, algorithmParameters);
+				return keyInfo.getKeySpec(cipher);
+			}
+			catch (IOException | GeneralSecurityException ex) {
+				throw new IllegalArgumentException("Error decrypting private key", ex);
+			}
+		}
+
+		private static String getEncryptionAlgorithm(AlgorithmParameters algParameters, String algName) {
+			if (algParameters != null && PBES2_ALGORITHM.equals(algName)) {
+				return algParameters.toString();
+			}
+			return algName;
+		}
+
+	}
+
 }

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java

@@ -84,14 +84,14 @@ private KeyStore createKeyStore(String name, PemSslStoreDetails details) {
 			return null;
 		}
 		try {
-			Assert.notNull(details.certificate(), "CertificateContent must not be null");
+			Assert.notNull(details.certificate(), "Certificate content must not be null");
 			String type = (!StringUtils.hasText(details.type())) ? KeyStore.getDefaultType() : details.type();
 			KeyStore store = KeyStore.getInstance(type);
 			store.load(null);
 			String certificateContent = PemContent.load(details.certificate());
 			String privateKeyContent = PemContent.load(details.privateKey());
 			X509Certificate[] certificates = PemCertificateParser.parse(certificateContent);
-			PrivateKey privateKey = PemPrivateKeyParser.parse(privateKeyContent);
+			PrivateKey privateKey = PemPrivateKeyParser.parse(privateKeyContent, details.privateKeyPassword());
 			addCertificates(store, certificates, privateKey);
 			return store;
 		}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreDetails.java

@@ -30,19 +30,33 @@
  * that can be loaded by {@link ResourceUtils#getURL})
  * @param privateKey the private key content (either the PEM content itself or something
  * that can be loaded by {@link ResourceUtils#getURL})
+ * @param privateKeyPassword a password used to decrypt an encrypted private key
  * @author Scott Frederick
  * @author Phillip Webb
  * @since 3.1.0
  */
-public record PemSslStoreDetails(String type, String certificate, String privateKey) {
+public record PemSslStoreDetails(String type, String certificate, String privateKey, String privateKeyPassword) {
+
+	public PemSslStoreDetails(String type, String certificate, String privateKey) {
+		this(type, certificate, privateKey, null);
+	}
 
 	/**
 	 * Return a new {@link PemSslStoreDetails} instance with a new private key.
 	 * @param privateKey the new private key
 	 * @return a new {@link PemSslStoreDetails} instance
 	 */
 	public PemSslStoreDetails withPrivateKey(String privateKey) {
-		return new PemSslStoreDetails(this.type, this.certificate, privateKey);
+		return new PemSslStoreDetails(this.type, this.certificate, privateKey, this.privateKeyPassword);
+	}
+
+	/**
+	 * Return a new {@link PemSslStoreDetails} instance with a new private key password.
+	 * @param password the new private key password
+	 * @return a new {@link PemSslStoreDetails} instance
+	 */
+	public PemSslStoreDetails withPrivateKeyPassword(String password) {
+		return new PemSslStoreDetails(this.type, this.certificate, this.privateKey, password);
 	}
 
 	boolean isEmpty() {