Use Tomcat SSLHostConfig API for SSL configuration

scottfrederick · scottfrederick · commit 103c2bdd7d58 · 2022-04-04T15:22:43.000-05:00
Closes gh-30531
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,11 +19,12 @@
 import java.io.FileNotFoundException;
 
 import org.apache.catalina.connector.Connector;
-import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory;
 import org.apache.coyote.ProtocolHandler;
 import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
 import org.apache.coyote.http11.Http11NioProtocol;
 import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
 
 import org.springframework.boot.web.server.Ssl;
 import org.springframework.boot.web.server.SslStoreProvider;
@@ -36,6 +37,8 @@
  * {@link TomcatConnectorCustomizer} that configures SSL support on the given connector.
  *
  * @author Brian Clozel
+ * @author Andy Wilkinson
+ * @author Scott Frederick
  */
 class SslConnectorCustomizer implements TomcatConnectorCustomizer {
 
@@ -67,95 +70,102 @@ public void customize(Connector connector) {
 	 */
 	protected void configureSsl(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl, SslStoreProvider sslStoreProvider) {
 		protocol.setSSLEnabled(true);
-		protocol.setSslProtocol(ssl.getProtocol());
-		configureSslClientAuth(protocol, ssl);
+		SSLHostConfig sslHostConfig = new SSLHostConfig();
+		sslHostConfig.setHostName(protocol.getDefaultSSLHostConfigName());
+		sslHostConfig.setSslProtocol(ssl.getProtocol());
+		protocol.addSslHostConfig(sslHostConfig);
+		configureSslClientAuth(sslHostConfig, ssl);
+		SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
 		if (ssl.getKeyStorePassword() != null) {
-			protocol.setKeystorePass(ssl.getKeyStorePassword());
+			certificate.setCertificateKeystorePassword(ssl.getKeyStorePassword());
 		}
 		if (ssl.getKeyPassword() != null) {
-			protocol.setKeyPass(ssl.getKeyPassword());
+			certificate.setCertificateKeyPassword(ssl.getKeyPassword());
 		}
-		protocol.setKeyAlias(ssl.getKeyAlias());
+		if (ssl.getKeyAlias() != null) {
+			certificate.setCertificateKeyAlias(ssl.getKeyAlias());
+		}
+		sslHostConfig.addCertificate(certificate);
 		String ciphers = StringUtils.arrayToCommaDelimitedString(ssl.getCiphers());
 		if (StringUtils.hasText(ciphers)) {
-			protocol.setCiphers(ciphers);
+			sslHostConfig.setCiphers(ciphers);
+		}
+		configureEnabledProtocols(protocol, ssl);
+		if (sslStoreProvider != null) {
+			configureSslStoreProvider(protocol, sslHostConfig, certificate, sslStoreProvider);
 		}
+		else {
+			configureSslKeyStore(certificate, ssl);
+			configureSslTrustStore(sslHostConfig, ssl);
+		}
+	}
+
+	private void configureEnabledProtocols(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
 		if (ssl.getEnabledProtocols() != null) {
 			for (SSLHostConfig sslHostConfig : protocol.findSslHostConfigs()) {
 				sslHostConfig.setProtocols(StringUtils.arrayToCommaDelimitedString(ssl.getEnabledProtocols()));
 			}
 		}
-		if (sslStoreProvider != null) {
-			configureSslStoreProvider(protocol, sslStoreProvider);
-		}
-		else {
-			configureSslKeyStore(protocol, ssl);
-			configureSslTrustStore(protocol, ssl);
-		}
 	}
 
-	private void configureSslClientAuth(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
+	private void configureSslClientAuth(SSLHostConfig config, Ssl ssl) {
 		if (ssl.getClientAuth() == Ssl.ClientAuth.NEED) {
-			protocol.setClientAuth(Boolean.TRUE.toString());
+			config.setCertificateVerification("required");
 		}
 		else if (ssl.getClientAuth() == Ssl.ClientAuth.WANT) {
-			protocol.setClientAuth("want");
+			config.setCertificateVerification("optional");
 		}
 	}
 
-	protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> protocol,
-			SslStoreProvider sslStoreProvider) {
+	protected void configureSslStoreProvider(AbstractHttp11JsseProtocol<?> protocol, SSLHostConfig sslHostConfig,
+			SSLHostConfigCertificate certificate, SslStoreProvider sslStoreProvider) {
 		Assert.isInstanceOf(Http11NioProtocol.class, protocol,
 				"SslStoreProvider can only be used with Http11NioProtocol");
-		TomcatURLStreamHandlerFactory instance = TomcatURLStreamHandlerFactory.getInstance();
-		instance.addUserFactory(new SslStoreProviderUrlStreamHandlerFactory(sslStoreProvider));
 		try {
 			if (sslStoreProvider.getKeyStore() != null) {
-				protocol.setKeystorePass("");
-				protocol.setKeystoreFile(SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL);
+				certificate.setCertificateKeystore(sslStoreProvider.getKeyStore());
 			}
 			if (sslStoreProvider.getTrustStore() != null) {
-				protocol.setTruststorePass("");
-				protocol.setTruststoreFile(SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL);
+				sslHostConfig.setTrustStore(sslStoreProvider.getTrustStore());
 			}
 		}
 		catch (Exception ex) {
 			throw new WebServerException("Could not load store: " + ex.getMessage(), ex);
 		}
 	}
 
-	private void configureSslKeyStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
+	private void configureSslKeyStore(SSLHostConfigCertificate certificate, Ssl ssl) {
 		try {
-			protocol.setKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString());
+			certificate.setCertificateKeystoreFile(ResourceUtils.getURL(ssl.getKeyStore()).toString());
 		}
 		catch (Exception ex) {
 			throw new WebServerException("Could not load key store '" + ssl.getKeyStore() + "'", ex);
 		}
 		if (ssl.getKeyStoreType() != null) {
-			protocol.setKeystoreType(ssl.getKeyStoreType());
+			certificate.setCertificateKeystoreType(ssl.getKeyStoreType());
 		}
 		if (ssl.getKeyStoreProvider() != null) {
-			protocol.setKeystoreProvider(ssl.getKeyStoreProvider());
+			certificate.setCertificateKeystoreProvider(ssl.getKeyStoreProvider());
 		}
 	}
 
-	private void configureSslTrustStore(AbstractHttp11JsseProtocol<?> protocol, Ssl ssl) {
+	private void configureSslTrustStore(SSLHostConfig sslHostConfig, Ssl ssl) {
 		if (ssl.getTrustStore() != null) {
 			try {
-				protocol.setTruststoreFile(ResourceUtils.getURL(ssl.getTrustStore()).toString());
+				sslHostConfig.setTruststoreFile(ResourceUtils.getURL(ssl.getTrustStore()).toString());
 			}
 			catch (FileNotFoundException ex) {
 				throw new WebServerException("Could not load trust store: " + ex.getMessage(), ex);
 			}
 		}
 		if (ssl.getTrustStorePassword() != null) {
-			protocol.setTruststorePass(ssl.getTrustStorePassword());
+			sslHostConfig.setTruststorePassword(ssl.getTrustStorePassword());
 		}
 		if (ssl.getTrustStoreType() != null) {
-			protocol.setTruststoreType(ssl.getTrustStoreType());
+			sslHostConfig.setTruststoreType(ssl.getTrustStoreType());
 		}
 		if (ssl.getTrustStoreProvider() != null) {
-			protocol.setTruststoreProvider(ssl.getTrustStoreProvider());
+			sslHostConfig.setTruststoreProvider(ssl.getTrustStoreProvider());
 		}
 	}
 
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslStoreProviderUrlStreamHandlerFactory.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslStoreProviderUrlStreamHandlerFactory.java
diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,13 +23,15 @@
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 import org.apache.catalina.LifecycleState;
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.webresources.TomcatURLStreamHandlerFactory;
-import org.apache.coyote.http11.Http11NioProtocol;
 import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -53,6 +55,8 @@
  * Tests for {@link SslConnectorCustomizer}
  *
  * @author Brian Clozel
+ * @author Andy Wilkinson
+ * @author Scott Frederick
  */
 @ExtendWith(OutputCaptureExtension.class)
 class SslConnectorCustomizerTests {
@@ -129,16 +133,18 @@ void customizeWhenSslStoreProviderProvidesOnlyKeyStoreShouldUseDefaultTruststore
 		ssl.setKeyPassword("password");
 		ssl.setTrustStore("src/test/resources/test.jks");
 		SslStoreProvider sslStoreProvider = mock(SslStoreProvider.class);
-		given(sslStoreProvider.getKeyStore()).willReturn(loadStore());
+		KeyStore keyStore = loadStore();
+		given(sslStoreProvider.getKeyStore()).willReturn(keyStore);
 		SslConnectorCustomizer customizer = new SslConnectorCustomizer(ssl, sslStoreProvider);
 		Connector connector = this.tomcat.getConnector();
 		customizer.customize(connector);
 		this.tomcat.start();
 		SSLHostConfig sslHostConfig = connector.getProtocolHandler().findSslHostConfigs()[0];
 		SSLHostConfig sslHostConfigWithDefaults = new SSLHostConfig();
 		assertThat(sslHostConfig.getTruststoreFile()).isEqualTo(sslHostConfigWithDefaults.getTruststoreFile());
-		assertThat(sslHostConfig.getCertificateKeystoreFile())
-				.isEqualTo(SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL);
+		Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates();
+		assertThat(certificates).hasSize(1);
+		assertThat(certificates.iterator().next().getCertificateKeystore()).isEqualTo(keyStore);
 	}
 
 	@Test
@@ -147,7 +153,8 @@ void customizeWhenSslStoreProviderProvidesOnlyTrustStoreShouldUseDefaultKeystore
 		ssl.setKeyPassword("password");
 		ssl.setKeyStore("src/test/resources/test.jks");
 		SslStoreProvider sslStoreProvider = mock(SslStoreProvider.class);
-		given(sslStoreProvider.getTrustStore()).willReturn(loadStore());
+		KeyStore trustStore = loadStore();
+		given(sslStoreProvider.getTrustStore()).willReturn(trustStore);
 		SslConnectorCustomizer customizer = new SslConnectorCustomizer(ssl, sslStoreProvider);
 		Connector connector = this.tomcat.getConnector();
 		customizer.customize(connector);
@@ -156,10 +163,11 @@ void customizeWhenSslStoreProviderProvidesOnlyTrustStoreShouldUseDefaultKeystore
 		sslHostConfig.getCertificates(true);
 		SSLHostConfig sslHostConfigWithDefaults = new SSLHostConfig();
 		sslHostConfigWithDefaults.getCertificates(true);
-		assertThat(sslHostConfig.getTruststoreFile())
-				.isEqualTo(SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL);
-		assertThat(sslHostConfig.getCertificateKeystoreFile())
-				.contains(sslHostConfigWithDefaults.getCertificateKeystoreFile());
+		assertThat(sslHostConfig.getTruststore()).isEqualTo(trustStore);
+		System.out.println(sslHostConfig.getCertificates(false).stream()
+				.map(SSLHostConfigCertificate::getCertificateFile).collect(Collectors.toList()));
+		System.out.println(sslHostConfigWithDefaults.getCertificates(false).stream()
+				.map(SSLHostConfigCertificate::getCertificateFile).collect(Collectors.toList()));
 	}
 
 	@Test
@@ -186,37 +194,6 @@ void customizeWhenSslIsEnabledWithNoKeyStoreThrowsWebServerException() {
 				.withMessageContaining("Could not load key store 'null'");
 	}
 
-	@Test
-	void keyStorePasswordIsNotSetWhenNull() {
-		Http11NioProtocol protocol = (Http11NioProtocol) this.tomcat.getConnector().getProtocolHandler();
-		protocol.setKeystorePass("password");
-		Ssl ssl = new Ssl();
-		ssl.setKeyStore("src/test/resources/test.jks");
-		new SslConnectorCustomizer(ssl, null).customize(this.tomcat.getConnector());
-		assertThat(protocol.getKeystorePass()).isEqualTo("password");
-	}
-
-	@Test
-	void keyPasswordIsNotSetWhenNull() {
-		Http11NioProtocol protocol = (Http11NioProtocol) this.tomcat.getConnector().getProtocolHandler();
-		protocol.setKeyPass("password");
-		Ssl ssl = new Ssl();
-		ssl.setKeyStore("src/test/resources/test.jks");
-		new SslConnectorCustomizer(ssl, null).customize(this.tomcat.getConnector());
-		assertThat(protocol.getKeyPass()).isEqualTo("password");
-	}
-
-	@Test
-	void trustStorePasswordIsNotSetWhenNull() {
-		Http11NioProtocol protocol = (Http11NioProtocol) this.tomcat.getConnector().getProtocolHandler();
-		protocol.setTruststorePass("password");
-		Ssl ssl = new Ssl();
-		ssl.setKeyStore("src/test/resources/test.jks");
-		ssl.setTrustStore("src/test/resources/test.jks");
-		new SslConnectorCustomizer(ssl, null).customize(this.tomcat.getConnector());
-		assertThat(protocol.getTruststorePass()).isEqualTo("password");
-	}
-
 	private KeyStore loadStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
 		KeyStore keyStore = KeyStore.getInstance("JKS");
 		Resource resource = new ClassPathResource("test.jks");
