Move PEM verification to spring-boot-autoconfigure

Move `KeyVerifier` to spring-boot-autoconfigure to reduce the
public API required in `PemSslStoreBundle`.

This commit also moves the verify property so that is can be set
per store.

Closes gh-38173

Author: philwebb

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/KeyVerifier.java renamed to spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/KeyVerifier.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.ssl.pem;
+package org.springframework.boot.autoconfigure.ssl;
 
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PemSslBundleProperties.java

@@ -39,11 +39,6 @@ public class PemSslBundleProperties extends SslBundleProperties {
 	 */
 	private final Store truststore = new Store();
 
-	/**
-	 * Whether to verify that the private key matches the public key.
-	 */
-	private boolean verifyKeys;
-
 	public Store getKeystore() {
 		return this.keystore;
 	}
@@ -52,14 +47,6 @@ public Store getTruststore() {
 		return this.truststore;
 	}
 
-	public boolean isVerifyKeys() {
-		return this.verifyKeys;
-	}
-
-	public void setVerifyKeys(boolean verifyKeys) {
-		this.verifyKeys = verifyKeys;
-	}
-
 	/**
 	 * Store properties.
 	 */
@@ -85,6 +72,11 @@ public static class Store {
 		 */
 		private String privateKeyPassword;
 
+		/**
+		 * Whether to verify that the private key matches the public key.
+		 */
+		private boolean verifyKeys;
+
 		public String getType() {
 			return this.type;
 		}
@@ -117,6 +109,14 @@ public void setPrivateKeyPassword(String privateKeyPassword) {
 			this.privateKeyPassword = privateKeyPassword;
 		}
 
+		public boolean isVerifyKeys() {
+			return this.verifyKeys;
+		}
+
+		public void setVerifyKeys(boolean verifyKeys) {
+			this.verifyKeys = verifyKeys;
+		}
+
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java

@@ -16,6 +16,10 @@
 
 package org.springframework.boot.autoconfigure.ssl;
 
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.security.cert.X509Certificate;
+
 import org.springframework.boot.autoconfigure.ssl.SslBundleProperties.Key;
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslBundleKey;
@@ -24,6 +28,7 @@
 import org.springframework.boot.ssl.SslStoreBundle;
 import org.springframework.boot.ssl.jks.JksSslStoreBundle;
 import org.springframework.boot.ssl.jks.JksSslStoreDetails;
+import org.springframework.boot.ssl.pem.PemSslStore;
 import org.springframework.boot.ssl.pem.PemSslStoreBundle;
 import org.springframework.boot.ssl.pem.PemSslStoreDetails;
 
@@ -107,16 +112,39 @@ public static SslBundle get(JksSslBundleProperties properties) {
 	}
 
 	private static SslStoreBundle asSslStoreBundle(PemSslBundleProperties properties) {
-		PemSslStoreDetails keyStoreDetails = asStoreDetails(properties.getKeystore())
-			.withAlias(properties.getKey().getAlias());
-		PemSslStoreDetails trustStoreDetails = asStoreDetails(properties.getTruststore())
-			.withAlias(properties.getKey().getAlias());
-		return new PemSslStoreBundle(keyStoreDetails, trustStoreDetails, properties.isVerifyKeys());
+		PemSslStore keyStore = asPemSslStore(properties.getKeystore(), properties.getKey().getAlias());
+		PemSslStore trustStore = asPemSslStore(properties.getTruststore(), properties.getKey().getAlias());
+		return new PemSslStoreBundle(keyStore, trustStore);
+	}
+
+	private static PemSslStore asPemSslStore(PemSslBundleProperties.Store properties, String alias) {
+		try {
+			PemSslStoreDetails details = asStoreDetails(properties, alias);
+			PemSslStore pemSslStore = PemSslStore.load(details);
+			if (properties.isVerifyKeys()) {
+				verifyPemSslStoreKeys(pemSslStore);
+			}
+			return pemSslStore;
+		}
+		catch (IOException ex) {
+			throw new UncheckedIOException(ex);
+		}
+	}
+
+	private static void verifyPemSslStoreKeys(PemSslStore pemSslStore) {
+		KeyVerifier keyVerifier = new KeyVerifier();
+		for (X509Certificate certificate : pemSslStore.certificates()) {
+			KeyVerifier.Result result = keyVerifier.matches(pemSslStore.privateKey(), certificate.getPublicKey());
+			if (result == KeyVerifier.Result.YES) {
+				return;
+			}
+		}
+		throw new IllegalStateException("Private key matches none of the certificates in the chain");
 	}
 
-	private static PemSslStoreDetails asStoreDetails(PemSslBundleProperties.Store properties) {
-		return new PemSslStoreDetails(properties.getType(), properties.getCertificate(), properties.getPrivateKey(),
-				properties.getPrivateKeyPassword());
+	private static PemSslStoreDetails asStoreDetails(PemSslBundleProperties.Store properties, String alias) {
+		return new PemSslStoreDetails(properties.getType(), alias, null, properties.getCertificate(),
+				properties.getPrivateKey(), properties.getPrivateKeyPassword());
 	}
 
 	private static SslStoreBundle asSslStoreBundle(JksSslBundleProperties properties) {

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/KeyVerifierTests.java renamed to spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/KeyVerifierTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.ssl.pem;
+package org.springframework.boot.autoconfigure.ssl;
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
@@ -33,7 +33,7 @@
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 
-import org.springframework.boot.ssl.pem.KeyVerifier.Result;
+import org.springframework.boot.autoconfigure.ssl.KeyVerifier.Result;
 
 import static org.assertj.core.api.Assertions.assertThat;
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java

@@ -20,12 +20,15 @@
 import java.security.KeyStore;
 import java.security.cert.Certificate;
 import java.util.Set;
+import java.util.function.Consumer;
 
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.ssl.SslBundle;
+import org.springframework.util.function.ThrowingConsumer;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
 
 /**
  * Tests for {@link PropertiesSslBundle}.
@@ -35,6 +38,8 @@
  */
 class PropertiesSslBundleTests {
 
+	private static final char[] EMPTY_KEY_PASSWORD = new char[] {};
+
 	@Test
 	void pemPropertiesAreMappedToSslBundle() throws Exception {
 		PemSslBundleProperties properties = new PemSslBundleProperties();
@@ -99,4 +104,47 @@ void jksPropertiesAreMappedToSslBundle() {
 		assertThat(trustStore.getProvider().getName()).isEqualTo("SUN");
 	}
 
+	@Test
+	void getWithPemSslBundlePropertiesWhenVerifyKeyStoreAgainstSingleCertificateWithMatchCreatesBundle() {
+		PemSslBundleProperties properties = new PemSslBundleProperties();
+		properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key1.crt");
+		properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key1.pem");
+		properties.getKeystore().setVerifyKeys(true);
+		properties.getKey().setAlias("test-alias");
+		SslBundle bundle = PropertiesSslBundle.get(properties);
+		assertThat(bundle.getStores().getKeyStore()).satisfies(storeContainingCertAndKey("test-alias"));
+	}
+
+	@Test
+	void getWithPemSslBundlePropertiesWhenVerifyKeyStoreAgainstCertificateChainWithMatchCreatesBundle() {
+		PemSslBundleProperties properties = new PemSslBundleProperties();
+		properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key2-chain.crt");
+		properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key2.pem");
+		properties.getKeystore().setVerifyKeys(true);
+		properties.getKey().setAlias("test-alias");
+		SslBundle bundle = PropertiesSslBundle.get(properties);
+		assertThat(bundle.getStores().getKeyStore()).satisfies(storeContainingCertAndKey("test-alias"));
+	}
+
+	@Test
+	void getWithPemSslBundlePropertiesWhenVerifyKeyStoreWithNoMatchThrowsException() {
+		PemSslBundleProperties properties = new PemSslBundleProperties();
+		properties.getKeystore().setCertificate("classpath:org/springframework/boot/autoconfigure/ssl/key2.crt");
+		properties.getKeystore().setPrivateKey("classpath:org/springframework/boot/autoconfigure/ssl/key1.pem");
+		properties.getKeystore().setVerifyKeys(true);
+		properties.getKey().setAlias("test-alias");
+		assertThatIllegalStateException().isThrownBy(() -> PropertiesSslBundle.get(properties))
+			.withMessageContaining("Private key matches none of the certificates");
+	}
+
+	private Consumer<KeyStore> storeContainingCertAndKey(String keyAlias) {
+		return ThrowingConsumer.of((keyStore) -> {
+			assertThat(keyStore).isNotNull();
+			assertThat(keyStore.getType()).isEqualTo(KeyStore.getDefaultType());
+			assertThat(keyStore.containsAlias(keyAlias)).isTrue();
+			assertThat(keyStore.getCertificate(keyAlias)).isNotNull();
+			assertThat(keyStore.getKey(keyAlias, EMPTY_KEY_PASSWORD)).isNotNull();
+		});
+	}
+
 }