Merge branch '2.7.x'

Author: scottfrederick

spring-boot-project/spring-boot-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -243,6 +243,22 @@
       "name": "server.ssl.trust-store-type",
       "description": "Type of the trust store."
     },
+    {
+      "name": "server.ssl.certificate",
+      "description": "Path to a PEM-encoded SSL certificate file."
+    },
+    {
+      "name": "server.ssl.certificate-private-key",
+      "description": "Path to a PEM-encoded private key file for the SSL certificate."
+    },
+    {
+      "name": "server.ssl.trust-certificate",
+      "description": "Path to a PEM-encoded SSL certificate authority file."
+    },
+    {
+      "name": "server.ssl.trust-certificate-private-key",
+      "description": "Path to a PEM-encoded private key file for the SSL certificate authority."
+    },
     {
       "name": "server.tomcat.max-http-post-size",
       "type": "org.springframework.util.unit.DataSize",

spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto/webserver.adoc

@@ -183,7 +183,7 @@ You can configure this behavior by setting the configprop:server.compression.mim
 [[howto.webserver.configure-ssl]]
 === Configure SSL
 SSL can be configured declaratively by setting the various `+server.ssl.*+` properties, typically in `application.properties` or `application.yml`.
-The following example shows setting SSL properties in `application.properties`:
+The following example shows setting SSL properties using a Java KeyStore file:
 
 [source,yaml,indent=0,subs="verbatim",configprops,configblocks]
 ----
@@ -195,6 +195,19 @@ The following example shows setting SSL properties in `application.properties`:
 	    key-password: "another-secret"
 ----
 
+The following example shows setting SSL properties using PEM-encoded certificate and private key files:
+
+[source,yaml,indent=0,subs="verbatim",configprops,configblocks]
+----
+	server:
+	  port: 8443
+	  ssl:
+	    certificate: "classpath:my-cert.crt"
+	    certificate-private-key: "classpath:my-cert.key"
+	    trust-certificate: "classpath:ca-cert.crt"
+	    key-store-password: "secret"
+----
+
 See {spring-boot-module-code}/web/server/Ssl.java[`Ssl`] for details of all of the supported properties.
 
 Using configuration such as the preceding example means the application no longer supports a plain HTTP connector at port 8080.

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/rsocket/netty/NettyRSocketServerFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,6 +39,7 @@
 import org.springframework.boot.rsocket.server.RSocketServer;
 import org.springframework.boot.rsocket.server.RSocketServerCustomizer;
 import org.springframework.boot.rsocket.server.RSocketServerFactory;
+import org.springframework.boot.web.server.CertificateFileSslStoreProvider;
 import org.springframework.boot.web.server.Ssl;
 import org.springframework.boot.web.server.SslStoreProvider;
 import org.springframework.http.client.reactive.ReactorResourceFactory;
@@ -51,6 +52,7 @@
  *
  * @author Brian Clozel
  * @author Chris Bono
+ * @author Scott Frederick
  * @since 2.2.0
  */
 public class NettyRSocketServerFactory implements RSocketServerFactory, ConfigurableRSocketServerFactory {
@@ -179,7 +181,7 @@ private ServerTransport<CloseableChannel> createWebSocketTransport() {
 	@SuppressWarnings("deprecation")
 	private HttpServer customizeSslConfiguration(HttpServer httpServer) {
 		org.springframework.boot.web.embedded.netty.SslServerCustomizer sslServerCustomizer = new org.springframework.boot.web.embedded.netty.SslServerCustomizer(
-				this.ssl, null, this.sslStoreProvider);
+				this.ssl, null, getOrCreateSslStoreProvider());
 		return sslServerCustomizer.apply(httpServer);
 	}
 
@@ -189,12 +191,20 @@ private ServerTransport<CloseableChannel> createTcpTransport() {
 			tcpServer = tcpServer.runOn(this.resourceFactory.getLoopResources());
 		}
 		if (this.ssl != null && this.ssl.isEnabled()) {
-			TcpSslServerCustomizer sslServerCustomizer = new TcpSslServerCustomizer(this.ssl, this.sslStoreProvider);
+			TcpSslServerCustomizer sslServerCustomizer = new TcpSslServerCustomizer(this.ssl,
+					getOrCreateSslStoreProvider());
 			tcpServer = sslServerCustomizer.apply(tcpServer);
 		}
 		return TcpServerTransport.create(tcpServer.bindAddress(this::getListenAddress));
 	}
 
+	private SslStoreProvider getOrCreateSslStoreProvider() {
+		if (this.sslStoreProvider != null) {
+			return this.sslStoreProvider;
+		}
+		return CertificateFileSslStoreProvider.from(this.ssl);
+	}
+
 	private InetSocketAddress getListenAddress() {
 		if (this.address != null) {
 			return new InetSocketAddress(this.address.getHostAddress(), this.port);

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyReactiveWebServerFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -236,7 +236,7 @@ private Handler applyWrapper(Handler handler, HandlerWrapper wrapper) {
 	}
 
 	private void customizeSsl(Server server, InetSocketAddress address) {
-		new SslServerCustomizer(address, getSsl(), getSslStoreProvider(), getHttp2()).customize(server);
+		new SslServerCustomizer(address, getSsl(), getOrCreateSslStoreProvider(), getHttp2()).customize(server);
 	}
 
 }

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java

@@ -220,7 +220,7 @@ private Handler applyWrapper(Handler handler, HandlerWrapper wrapper) {
 	}
 
 	private void customizeSsl(Server server, InetSocketAddress address) {
-		new SslServerCustomizer(address, getSsl(), getSslStoreProvider(), getHttp2()).customize(server);
+		new SslServerCustomizer(address, getSsl(), getOrCreateSslStoreProvider(), getHttp2()).customize(server);
 	}
 
 	/**

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/netty/NettyReactiveWebServerFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -179,7 +179,8 @@ private HttpServer createHttpServer() {
 
 	@SuppressWarnings("deprecation")
 	private HttpServer customizeSslConfiguration(HttpServer httpServer) {
-		SslServerCustomizer sslServerCustomizer = new SslServerCustomizer(getSsl(), getHttp2(), getSslStoreProvider());
+		SslServerCustomizer sslServerCustomizer = new SslServerCustomizer(getSsl(), getHttp2(),
+				getOrCreateSslStoreProvider());
 		return sslServerCustomizer.apply(httpServer);
 	}
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatReactiveWebServerFactory.java

@@ -221,7 +221,7 @@ private void customizeProtocol(AbstractProtocol<?> protocol) {
 	}
 
 	private void customizeSsl(Connector connector) {
-		new SslConnectorCustomizer(getSsl(), getSslStoreProvider()).customize(connector);
+		new SslConnectorCustomizer(getSsl(), getOrCreateSslStoreProvider()).customize(connector);
 	}
 
 	@Override

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java

@@ -360,7 +360,7 @@ private void invokeProtocolHandlerCustomizers(ProtocolHandler protocolHandler) {
 	}
 
 	private void customizeSsl(Connector connector) {
-		new SslConnectorCustomizer(getSsl(), getSslStoreProvider()).customize(connector);
+		new SslConnectorCustomizer(getSsl(), getOrCreateSslStoreProvider()).customize(connector);
 	}
 
 	/**

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/undertow/UndertowWebServerFactoryDelegate.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -163,7 +163,8 @@ Builder createBuilder(AbstractConfigurableWebServerFactory factory) {
 			builder.setServerOption(UndertowOptions.ENABLE_HTTP2, http2.isEnabled());
 		}
 		if (ssl != null && ssl.isEnabled()) {
-			new SslBuilderCustomizer(factory.getPort(), address, ssl, factory.getSslStoreProvider()).customize(builder);
+			new SslBuilderCustomizer(factory.getPort(), address, ssl, factory.getOrCreateSslStoreProvider())
+					.customize(builder);
 		}
 		else {
 			builder.addHttpListener(port, (address != null) ? address.getHostAddress() : "0.0.0.0");

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/AbstractConfigurableWebServerFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@
  * @author Ivan Sopov
  * @author Eddú Meléndez
  * @author Brian Clozel
+ * @author Scott Frederick
  * @since 2.0.0
  */
 public abstract class AbstractConfigurableWebServerFactory implements ConfigurableWebServerFactory {
@@ -179,6 +180,18 @@ public Shutdown getShutdown() {
 		return this.shutdown;
 	}
 
+	/**
+	 * Return the provided {@link SslStoreProvider} or create one using {@link Ssl}
+	 * properties.
+	 * @return the {@code SslStoreProvider}
+	 */
+	public final SslStoreProvider getOrCreateSslStoreProvider() {
+		if (this.sslStoreProvider != null) {
+			return this.sslStoreProvider;
+		}
+		return CertificateFileSslStoreProvider.from(this.ssl);
+	}
+
 	/**
 	 * Return the absolute temp dir for given web server.
 	 * @param prefix server name

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/CertificateFileSslStoreProvider.java

@@ -0,0 +1,118 @@
+/*
+ * Copyright 2012-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.web.server;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+/**
+ * An {@link SslStoreProvider} that creates key and trust stores from certificate and
+ * private key PEM files.
+ *
+ * @author Scott Frederick
+ * @since 2.7.0
+ */
+public final class CertificateFileSslStoreProvider implements SslStoreProvider {
+
+	private static final char[] NO_PASSWORD = {};
+
+	private static final String DEFAULT_KEY_ALIAS = "spring-boot-web";
+
+	private final Ssl ssl;
+
+	private CertificateFileSslStoreProvider(Ssl ssl) {
+		this.ssl = ssl;
+	}
+
+	@Override
+	public KeyStore getKeyStore() throws Exception {
+		return createKeyStore(this.ssl.getCertificate(), this.ssl.getCertificatePrivateKey(),
+				this.ssl.getKeyStorePassword(), this.ssl.getKeyStoreType(), this.ssl.getKeyAlias());
+	}
+
+	@Override
+	public KeyStore getTrustStore() throws Exception {
+		if (this.ssl.getTrustCertificate() == null) {
+			return null;
+		}
+		return createKeyStore(this.ssl.getTrustCertificate(), this.ssl.getTrustCertificatePrivateKey(),
+				this.ssl.getTrustStorePassword(), this.ssl.getTrustStoreType(), this.ssl.getKeyAlias());
+	}
+
+	/**
+	 * Create a new {@link KeyStore} populated with the certificate stored at the
+	 * specified file path and an optional private key.
+	 * @param certPath the path to the certificate authority file
+	 * @param keyPath the path to the private file
+	 * @param password the key store password
+	 * @param storeType the {@code KeyStore} type to create
+	 * @param keyAlias the alias to use when adding keys to the {@code KeyStore}
+	 * @return the {@code KeyStore}
+	 */
+	private KeyStore createKeyStore(String certPath, String keyPath, String password, String storeType,
+			String keyAlias) {
+		try {
+			KeyStore keyStore = KeyStore.getInstance((storeType != null) ? storeType : KeyStore.getDefaultType());
+			keyStore.load(null);
+			X509Certificate[] certificates = CertificateParser.parse(certPath);
+			PrivateKey privateKey = (keyPath != null) ? PrivateKeyParser.parse(keyPath) : null;
+			try {
+				addCertificates(keyStore, certificates, privateKey, password, keyAlias);
+			}
+			catch (KeyStoreException ex) {
+				throw new IllegalStateException("Error adding certificates to KeyStore: " + ex.getMessage(), ex);
+			}
+			return keyStore;
+		}
+		catch (GeneralSecurityException | IOException ex) {
+			throw new IllegalStateException("Error creating KeyStore: " + ex.getMessage(), ex);
+		}
+	}
+
+	private void addCertificates(KeyStore keyStore, X509Certificate[] certificates, PrivateKey privateKey,
+			String password, String keyAlias) throws KeyStoreException {
+		String alias = (keyAlias != null) ? keyAlias : DEFAULT_KEY_ALIAS;
+		if (privateKey != null) {
+			keyStore.setKeyEntry(alias, privateKey, ((password != null) ? password.toCharArray() : NO_PASSWORD),
+					certificates);
+		}
+		else {
+			for (int index = 0; index < certificates.length; index++) {
+				keyStore.setCertificateEntry(alias + "-" + index, certificates[index]);
+			}
+		}
+	}
+
+	/**
+	 * Create a {@link SslStoreProvider} if the appropriate SSL properties are configured.
+	 * @param ssl the SSL properties
+	 * @return a {@code SslStoreProvider} or {@code null}
+	 */
+	public static SslStoreProvider from(Ssl ssl) {
+		if (ssl != null && ssl.isEnabled()) {
+			if (ssl.getCertificate() != null && ssl.getCertificatePrivateKey() != null) {
+				return new CertificateFileSslStoreProvider(ssl);
+			}
+		}
+		return null;
+	}
+
+}