SslStoreProviderUrlStreamHandlerFactory changes the KeyStore password

[jonatan-ivanov]

The issue

I would like to use HTTPS with spring boot (1.5.9) and I would like to get the KeyStore from memory (eventually from HashiCorp Vault) and not from disk. In order to do this, I implemented a SslStoreProvider and set it up through an EmbeddedServletContainerCustomizer; please check this example.

The example above fails because of SslStoreProviderUrlStreamHandlerFactory re-encrypts the KeyStore with an empty password so I get an error: java.io.IOException: keystore password was incorrect:

ByteArrayOutputStream stream = new ByteArrayOutputStream();
this.keyStore.store(stream, new char[0]); //the second parameter is the password
return new ByteArrayInputStream(stream.toByteArray());

I tried to trick this with an empty password but when Tomcat tries to load the InputStream of the KeyStore, in SSLUtilBase, it checks if the password is empty and it will use null in this case:

char[] storePass = null;
if (pass != null && !"".equals(pass)) {
    storePass = pass.toCharArray();
}
ks.load(istream, storePass);

Based on these code snippets, I can't really see how could this work, the password can never be empty when Tomcat tries to load the KeyStore.

Additional details

Tomcat tries to get the KeyStore this way: url.openConnection().getInputStream() in ConfigFileLoader. In order to make this work, TomcatEmbeddedServletContainerFactory will set the url to springbootssl:keyStore and register SslStoreProviderUrlStreamHandlerFactory for this url.

I'm using Spring-Boot 1.5.9-RELEASE, OpenJDK 1.8.0_152 and Gradle 4.4

I created an example which reproduces the issue. I fixed it with a hack (registering a custom url handler before the original one) just to see if this works, please see the commits.

Possible fix

I think this could be fixed in SslStoreProviderUrlStreamHandlerFactory the way I did in the example because when TomcatEmbeddedServletContainerFactory sets this up, it has the Ssl object which contains the password. If this approach could work, I'm happy to create a PR.

[jonatan-ivanov]

@philwebb Could you please check this issue?

[wilkinsona]

Thanks for the sample.

When you are using an SslStoreProvider to provide the store there is no need to configure the server.ssl.key-store-password property. If I check out commit b0e2713 in the sample and remove the property, the problem described in this issue no longer occurs.

It's worth noting that were you to switch to Jetty or Undertow, the property would have no effect and would not be used. I think what we need to do here is to make Tomcat behave in the same way. The current behaviour is an unfortunate side-effect of having to use a UrlStreamHandlerFactory to get Tomcat to consume an in-memory store. Re-using the password from the Ssl object would be one way to do that, but it doesn't feel quite right to me.

[philwebb]

Possibly related to #11395

[mbhave]

@wilkinsona Since the SslStoreProviderUrlStreamHandlerFactory stores the KeyStore with an empty password, I wonder if we could ignore the password from the Ssl object if there is a SslStoreProvider. Maybe something like,

if (sslStoreProvider != null) {
    protocol.setKeystorePass(null);			
}

[wilkinsona]

@mbhave My memory of this is a little hazy now, but that sounds like it would work.

[jonatan-ivanov]

@mbhave @wilkinsona I was able to repro the issue using spring-boot 2.3.5.RELEASE.
It seems if I return a KeyStore in the SslStoreProvider that has a non-empty password, Tomcat won't be able to load it.

I went down to SSLUtilBase where Tomcat loads the keys: Key k = ks.getKey(keyAlias, keyPassArray);.
Here the KeyStore is what I provide (that has a non-empty password) and the password passed in keyPassArray is empty which ends-up in an exception.

What do you think about reopening this issue?