Polish SSL

Author: mhalbritter

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/CertificateMatcher.java

@@ -26,6 +26,8 @@
 import java.util.List;
 import java.util.Objects;
 
+import org.springframework.util.Assert;
+
 /**
  * Helper used to match certificates against a {@link PrivateKey}.
  *
@@ -48,14 +50,16 @@ class CertificateMatcher {
 	private final byte[] generatedSignature;
 
 	CertificateMatcher(PrivateKey privateKey) {
+		Assert.notNull(privateKey, "Private key must not be null");
 		this.privateKey = privateKey;
 		this.signature = createSignature(privateKey);
+		Assert.notNull(this.signature, "Failed to create signature");
 		this.generatedSignature = sign(this.signature, privateKey);
 	}
 
 	private Signature createSignature(PrivateKey privateKey) {
 		try {
-			String algorithm = getSignatureAlgorithm(this.privateKey);
+			String algorithm = getSignatureAlgorithm(privateKey);
 			return (algorithm != null) ? Signature.getInstance(algorithm) : null;
 		}
 		catch (NoSuchAlgorithmException ex) {

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java

@@ -120,7 +120,7 @@ private static PemSslStore getPemSslStore(String propertyName, PemSslBundlePrope
 		if (properties.isVerifyKeys()) {
 			CertificateMatcher certificateMatcher = new CertificateMatcher(pemSslStore.privateKey());
 			Assert.state(certificateMatcher.matchesAny(pemSslStore.certificates()),
-					"Private key matches none of the certificates in the chain");
+					"Private key in %s matches none of the certificates in the chain".formatted(propertyName));
 		}
 		return pemSslStore;
 	}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundleTests.java

@@ -134,7 +134,7 @@ void getWithPemSslBundlePropertiesWhenVerifyKeyStoreWithNoMatchThrowsException()
 		properties.getKeystore().setVerifyKeys(true);
 		properties.getKey().setAlias("test-alias");
 		assertThatIllegalStateException().isThrownBy(() -> PropertiesSslBundle.get(properties))
-			.withMessageContaining("Private key matches none of the certificates");
+			.withMessageContaining("Private key in keystore matches none of the certificates");
 	}
 
 	private Consumer<KeyStore> storeContainingCertAndKey(String keyAlias) {

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemContent.java

@@ -48,7 +48,7 @@ public final class PemContent {
 
 	private static final Pattern PEM_FOOTER = Pattern.compile("-+END\\s+[^-]*-+", Pattern.CASE_INSENSITIVE);
 
-	private String text;
+	private final String text;
 
 	private PemContent(String text) {
 		this.text = text;

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java

@@ -130,7 +130,7 @@ private static int[] getEcParameters(DerElement parameters) {
 		}
 		Assert.state(parameters.isType(ValueType.ENCODED), "Key spec should contain encoded parameters");
 		DerElement contents = DerElement.of(parameters.getContents());
-		Assert.state(contents.isType(ValueType.PRIMITIVE, TagType.OBJECT_IDENTIFIER),
+		Assert.state(contents != null && contents.isType(ValueType.PRIMITIVE, TagType.OBJECT_IDENTIFIER),
 				"Key spec parameters should contain object identifier");
 		return getEcParameters(contents.getContents());
 	}
@@ -237,6 +237,7 @@ private PrivateKey parse(byte[] bytes, String password) {
 					return keyFactory.generatePrivate(keySpec);
 				}
 				catch (InvalidKeySpecException | NoSuchAlgorithmException ex) {
+					// Ignore
 				}
 			}
 			return null;
@@ -264,10 +265,6 @@ void octetString(byte[] bytes) throws IOException {
 			codeLengthBytes(0x04, bytes);
 		}
 
-		void sequence(int... elements) throws IOException {
-			sequence(bytes(elements));
-		}
-
 		void sequence(byte[] bytes) throws IOException {
 			codeLengthBytes(0x30, bytes);
 		}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStore.java

@@ -48,7 +48,7 @@ public interface PemSslStore {
 	String alias();
 
 	/**
-	 * the password used
+	 * The password used when
 	 * {@link KeyStore#setKeyEntry(String, java.security.Key, char[], java.security.cert.Certificate[])
 	 * setting key entries} in the {@link KeyStore}.
 	 * @return the password

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java

@@ -51,7 +51,6 @@ public class PemSslStoreBundle implements SslStoreBundle {
 	 * @param keyStoreDetails the key store details
 	 * @param trustStoreDetails the trust store details
 	 */
-	@SuppressWarnings("removal")
 	public PemSslStoreBundle(PemSslStoreDetails keyStoreDetails, PemSslStoreDetails trustStoreDetails) {
 		this(keyStoreDetails, trustStoreDetails, null);
 	}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreDetails.java

@@ -73,7 +73,7 @@ public record PemSslStoreDetails(String type, String alias, String password, Str
 	 * @param privateKeyPassword a password used to decrypt an encrypted private key
 	 */
 	public PemSslStoreDetails(String type, String certificate, String privateKey, String privateKeyPassword) {
-		this(type, null, null, certificate, privateKey, null);
+		this(type, null, null, certificate, privateKey, privateKeyPassword);
 	}
 
 	/**

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemContentTests.java

@@ -154,13 +154,4 @@ void ofReturnsContent() {
 		assertThat(PemContent.of("test")).hasToString("test");
 	}
 
-	@Test
-	void hashCodeAndEquals() {
-		PemContent a = PemContent.of("1");
-		PemContent b = PemContent.of("1");
-		PemContent c = PemContent.of("2");
-		assertThat(a.hashCode()).isEqualTo(b.hashCode());
-		assertThat(a).isEqualTo(a).isEqualTo(b).isNotEqualTo(c);
-	}
-
 }