add common classes for TLS properties

spring-cloud-commons/src/main/java/org/springframework/cloud/configuration/SSLContextFactory.java

@@ -0,0 +1,119 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.configuration;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.UnrecoverableKeyException;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.http.ssl.SSLContextBuilder;
+
+import org.springframework.core.io.Resource;
+
+public class SSLContextFactory {
+
+	private TlsProperties properties;
+
+	public SSLContextFactory(TlsProperties properties) {
+		this.properties = properties;
+	}
+
+	public SSLContext createSSLContext() throws GeneralSecurityException, IOException {
+		SSLContextBuilder builder = new SSLContextBuilder();
+		char[] keyPassword = properties.keyPassword();
+		KeyStore keyStore = createKeyStore();
+
+		try {
+			builder.loadKeyMaterial(keyStore, keyPassword);
+		}
+		catch (UnrecoverableKeyException e) {
+			if (keyPassword.length == 0) {
+				// Retry if empty password, see
+				// https://rt.openssl.org/Ticket/Display.html?id=1497&user=guest&pass=guest
+				builder.loadKeyMaterial(keyStore, new char[] { '\0' });
+			}
+			else {
+				throw e;
+			}
+		}
+
+		KeyStore trust = createTrustStore();
+		if (trust != null) {
+			builder.loadTrustMaterial(trust, null);
+		}
+
+		return builder.build();
+	}
+
+	public KeyStore createKeyStore() throws GeneralSecurityException, IOException {
+		if (properties.getKeyStore() == null) {
+			throw new KeyStoreException("Keystore not specified.");
+		}
+		if (!properties.getKeyStore().exists()) {
+			throw new KeyStoreException(
+					"Keystore not exists: " + properties.getKeyStore());
+		}
+
+		KeyStore result = KeyStore.getInstance(properties.getKeyStoreType());
+		char[] keyStorePassword = properties.keyStorePassword();
+
+		try {
+			loadKeyStore(result, properties.getKeyStore(), keyStorePassword);
+		}
+		catch (IOException e) {
+			// Retry if empty password, see
+			// https://rt.openssl.org/Ticket/Display.html?id=1497&user=guest&pass=guest
+			if (keyStorePassword.length == 0) {
+				loadKeyStore(result, properties.getKeyStore(), new char[] { '\0' });
+			}
+			else {
+				throw e;
+			}
+		}
+
+		return result;
+	}
+
+	private static void loadKeyStore(KeyStore keyStore, Resource keyStoreResource,
+			char[] keyStorePassword) throws IOException, GeneralSecurityException {
+		try (InputStream inputStream = keyStoreResource.getInputStream()) {
+			keyStore.load(inputStream, keyStorePassword);
+		}
+	}
+
+	public KeyStore createTrustStore() throws GeneralSecurityException, IOException {
+		if (properties.getTrustStore() == null) {
+			return null;
+		}
+		if (!properties.getTrustStore().exists()) {
+			throw new KeyStoreException(
+					"KeyStore not exists: " + properties.getTrustStore());
+		}
+
+		KeyStore result = KeyStore.getInstance(properties.getTrustStoreType());
+		try (InputStream input = properties.getTrustStore().getInputStream()) {
+			result.load(input, properties.trustStorePassword());
+		}
+		return result;
+	}
+
+}

spring-cloud-commons/src/main/java/org/springframework/cloud/configuration/TlsProperties.java

@@ -0,0 +1,162 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.configuration;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.annotation.PostConstruct;
+
+import org.springframework.core.io.Resource;
+
+/**
+ * Common client TLS properties.
+ */
+public class TlsProperties {
+
+	private static final String DEFAULT_STORE_TYPE = "PKCS12";
+
+	private static final Map<String, String> EXTENSION_STORE_TYPES = extTypes();
+
+	private boolean enabled;
+
+	private Resource keyStore;
+
+	private String keyStoreType;
+
+	private String keyStorePassword = "";
+
+	private String keyPassword = "";
+
+	private Resource trustStore;
+
+	private String trustStoreType;
+
+	private String trustStorePassword = "";
+
+	private static Map<String, String> extTypes() {
+		Map<String, String> result = new HashMap<>();
+
+		result.put("p12", "PKCS12");
+		result.put("pfx", "PKCS12");
+		result.put("jks", "JKS");
+
+		return Collections.unmodifiableMap(result);
+	}
+
+	public boolean isEnabled() {
+		return enabled;
+	}
+
+	public void setEnabled(boolean enabled) {
+		this.enabled = enabled;
+	}
+
+	public Resource getKeyStore() {
+		return keyStore;
+	}
+
+	public void setKeyStore(Resource keyStore) {
+		this.keyStore = keyStore;
+	}
+
+	public String getKeyStoreType() {
+		return keyStoreType;
+	}
+
+	public void setKeyStoreType(String keyStoreType) {
+		this.keyStoreType = keyStoreType;
+	}
+
+	public String getKeyStorePassword() {
+		return keyStorePassword;
+	}
+
+	public void setKeyStorePassword(String keyStorePassword) {
+		this.keyStorePassword = keyStorePassword;
+	}
+
+	public char[] keyStorePassword() {
+		return keyStorePassword.toCharArray();
+	}
+
+	public String getKeyPassword() {
+		return keyPassword;
+	}
+
+	public void setKeyPassword(String keyPassword) {
+		this.keyPassword = keyPassword;
+	}
+
+	public char[] keyPassword() {
+		return keyPassword.toCharArray();
+	}
+
+	public Resource getTrustStore() {
+		return trustStore;
+	}
+
+	public void setTrustStore(Resource trustStore) {
+		this.trustStore = trustStore;
+	}
+
+	public String getTrustStoreType() {
+		return trustStoreType;
+	}
+
+	public void setTrustStoreType(String trustStoreType) {
+		this.trustStoreType = trustStoreType;
+	}
+
+	public String getTrustStorePassword() {
+		return trustStorePassword;
+	}
+
+	public void setTrustStorePassword(String trustStorePassword) {
+		this.trustStorePassword = trustStorePassword;
+	}
+
+	public char[] trustStorePassword() {
+		return trustStorePassword.toCharArray();
+	}
+
+	@PostConstruct
+	public void postConstruct() {
+		if (keyStore != null && keyStoreType == null) {
+			keyStoreType = storeTypeOf(keyStore);
+		}
+		if (trustStore != null && trustStoreType == null) {
+			trustStoreType = storeTypeOf(trustStore);
+		}
+	}
+
+	private String storeTypeOf(Resource resource) {
+		String extension = fileExtensionOf(resource);
+		String type = EXTENSION_STORE_TYPES.get(extension);
+
+		return (type == null) ? DEFAULT_STORE_TYPE : type;
+	}
+
+	private String fileExtensionOf(Resource resource) {
+		String name = resource.getFilename();
+		int index = name.lastIndexOf('.');
+
+		return index < 0 ? "" : name.substring(index + 1).toLowerCase();
+	}
+
+}

spring-cloud-commons/src/test/java/org/springframework/cloud/configuration/KeyAndCert.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2018-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.configuration;
+
+import java.security.KeyPair;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+
+public class KeyAndCert {
+
+	private KeyPair keyPair;
+
+	private X509Certificate certificate;
+
+	public KeyAndCert(KeyPair keyPair, X509Certificate certificate) {
+		this.keyPair = keyPair;
+		this.certificate = certificate;
+	}
+
+	public KeyPair keyPair() {
+		return keyPair;
+	}
+
+	public PublicKey publicKey() {
+		return keyPair.getPublic();
+	}
+
+	public PrivateKey privateKey() {
+		return keyPair.getPrivate();
+	}
+
+	public X509Certificate certificate() {
+		return certificate;
+	}
+
+	public String subject() {
+		String dn = certificate.getSubjectDN().getName();
+		int index = dn.indexOf('=');
+		return dn.substring(index + 1);
+	}
+
+	public KeyAndCert sign(String subject) throws Exception {
+		KeyTool tool = new KeyTool();
+		return tool.signCertificate(subject, this);
+	}
+
+	public KeyAndCert sign(KeyPair keyPair, String subject) throws Exception {
+		KeyTool tool = new KeyTool();
+		return tool.signCertificate(keyPair, subject, this);
+	}
+
+	public KeyStore storeKeyAndCert(String keyPassword) throws Exception {
+		KeyStore result = KeyStore.getInstance("PKCS12");
+		result.load(null);
+
+		result.setKeyEntry(subject(), keyPair.getPrivate(), keyPassword.toCharArray(),
+				certChain());
+		return result;
+	}
+
+	private Certificate[] certChain() {
+		return new Certificate[] { certificate() };
+	}
+
+	public KeyStore storeCert() throws Exception {
+		return storeCert("PKCS12");
+	}
+
+	public KeyStore storeCert(String storeType) throws Exception {
+		KeyStore result = KeyStore.getInstance(storeType);
+		result.load(null);
+
+		result.setCertificateEntry(subject(), certificate());
+		return result;
+	}
+
+}