From fa325a3c9d1df86abba66bb627a519164daf61b0 Mon Sep 17 00:00:00 2001 From: Falko Modler Date: Mon, 5 Jul 2021 00:06:38 +0200 Subject: [PATCH] TLS: Introduce key-store-key-password --- .../vertx/http/runtime/CertificateConfig.java | 6 +++++ .../vertx/http/runtime/VertxHttpRecorder.java | 23 ++++++++++-------- .../src/main/resources/application.properties | 1 + .../src/main/resources/server-keystore.jks | Bin 4369 -> 4369 bytes 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java index 21be315fadbef..544588de231a8 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java @@ -81,6 +81,12 @@ public class CertificateConfig { @ConfigItem public Optional keyStoreKeyAlias; + /** + * An optional parameter to define the password for the key, in case it's different from {@link #keyStorePassword}. + */ + @ConfigItem + public Optional keyStoreKeyPassword; + /** * An optional trust store which holds the certificate information of the certificates to trust. */ diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java index 3b5f239e5ba38..6638552083ee2 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/VertxHttpRecorder.java @@ -622,7 +622,8 @@ private static HttpServerOptions createSslOptions(HttpBuildTimeConfig buildTimeC keystorePassword, sslConfig.certificate.keyStoreFileType, sslConfig.certificate.keyStoreProvider, - sslConfig.certificate.keyStoreKeyAlias); + sslConfig.certificate.keyStoreKeyAlias, + sslConfig.certificate.keyStoreKeyPassword); serverOptions.setKeyCertOptions(options); } else { return null; @@ -637,7 +638,8 @@ private static HttpServerOptions createSslOptions(HttpBuildTimeConfig buildTimeC trustStorePassword.get(), sslConfig.certificate.trustStoreFileType, sslConfig.certificate.trustStoreProvider, - sslConfig.certificate.trustStoreCertAlias); + sslConfig.certificate.trustStoreCertAlias, + Optional.empty()); serverOptions.setTrustOptions(options); } @@ -664,22 +666,23 @@ private static HttpServerOptions createSslOptions(HttpBuildTimeConfig buildTimeC return serverOptions; } - private static KeyStoreOptions createKeyStoreOptions(Path keyStorePath, String password, Optional keyStoreFileType, - Optional keyStoreProvider, Optional keyStoreAlias) throws IOException { + private static KeyStoreOptions createKeyStoreOptions(Path path, String password, Optional fileType, + Optional provider, Optional alias, Optional aliasPassword) throws IOException { final String type; - if (keyStoreFileType.isPresent()) { - type = keyStoreFileType.get().toLowerCase(); + if (fileType.isPresent()) { + type = fileType.get().toLowerCase(); } else { - type = findKeystoreFileType(keyStorePath); + type = findKeystoreFileType(path); } - byte[] data = getFileContent(keyStorePath); + byte[] data = getFileContent(path); KeyStoreOptions options = new KeyStoreOptions() .setPassword(password) .setValue(Buffer.buffer(data)) .setType(type.toUpperCase()) - .setProvider(keyStoreProvider.orElse(null)) - .setAlias(keyStoreAlias.orElse(null)); + .setProvider(provider.orElse(null)) + .setAlias(alias.orElse(null)) + .setAliasPassword(aliasPassword.orElse(null)); return options; } diff --git a/integration-tests/vertx-http/src/main/resources/application.properties b/integration-tests/vertx-http/src/main/resources/application.properties index d23f6c75671d7..dbdf680151b6e 100644 --- a/integration-tests/vertx-http/src/main/resources/application.properties +++ b/integration-tests/vertx-http/src/main/resources/application.properties @@ -2,6 +2,7 @@ vertx.event-loops.size=2 quarkus.http.ssl.certificate.key-store-file=server-keystore.jks quarkus.http.ssl.certificate.key-store-password=password quarkus.http.ssl.certificate.key-store-key-alias=server +quarkus.http.ssl.certificate.key-store-key-password=serverpw quarkus.http.ssl.certificate.trust-store-file=server-truststore.jks quarkus.http.ssl.certificate.trust-store-password=password quarkus.http.ssl.certificate.trust-store-cert-alias=mykey-1 diff --git a/integration-tests/vertx-http/src/main/resources/server-keystore.jks b/integration-tests/vertx-http/src/main/resources/server-keystore.jks index 76b41c403a610b3133aae04a21f691bd22fa8a16..c7ac8b12c43bf6b7050d904fe0795f9c0d25d142 100644 GIT binary patch delta 1351 zcmV-N1-SZ=B9S5>{_Xzl00002000020000100whqa&~2M0004cbA*e;lZpr&f1|iQ zItBJfGJUa^*dAAN?y06_Pt^Jw>6<{D@#lCm=pnZC(&}S@zExaqwPs)HVgXsGiyh7c z8Q~sq$82-Dk|&d^PX3@bx#oL% zF_?CtH=a$GD;^w^6bpSG&6G}&e><-NP`bq9KNKhD}vqCl-tzfgD&9g_Nv zVQN12gVok`BucnYh70It5QQ+>j)V;xBP{qxbk#f7v?-nMP9c~!(`JDue{^_Yp5)S- zQHs0#5a1OqEWe9*6kdf88l%!@fDw|=K-5g-T+e@*@cq4$^J)yUMYHI(jTY*TG~a&P zRm|dp#7%I9Xuh)e_P5&=0M?^$k!LGLrQr0-z#BrNZPB(fasS<7C&Uhp#fv9?szZ&? zS!x7TSv+ImyNrut?Iixgf4YIX>&ZuCJcpDrmNgPC{3=*msQ$y}A*J7a$AB?1=M*#R zFpw+1QB7bvsxfwg7yMM+#Cg0cik^>4*?GZgr7sT_hwuz;D?y1c{hCTr`XPn$_hb60 z-)Aa6s6fd8JmFwjYR6jbj5Vc63A1&!KI4?m@4KK&I^Nm0N2%H>f2dPX%*Ru>sH1iM z$iqNQioO^Se9)_FC_)ou2MR0^d}S(TCdqz);O4_3ZVP`V-jywwZOUeFD;hKX#HJkG zST)tO`t(e_;Z zeKXKK1Z4pbpGC&%e`3;~+#Zo@y3%2CzkxgCn^l^Ti#)SI#QmHv8E&-npN|t;Odc{U zDOVjxQbYFDHOi=jD=Pmvgq2LY{scUDv#P6_&IV^F0RGKJ=A>?+I9la&7wfbxhJ1-^ zk|lS+z*Su*VYKIDmWn*@VRB8N>m3LDlx#T^;+)Rk5WyS@f7Q|k3g^5=jLw4MTqj)f z>U+EScOWq@$C<-U)v(})ggOLxyd$)Q8&jwp48Umgv7S*vb4W#I(377Prg(!)MCpXo+ZJB% z@J0Mi)CJ|5Mmq1YtD73c_ zD?AnXJo4H!Y=AJN&Bp(@OVB=0!oy|)^8CNtQEvKsF7aX(i?cDL>p;h9HO}}R4sI$J5aT!V3dSOnEjiBE>1)HVD}a_efYo*KlY+(Q61*!Vi3nx+=?J zOq#1xe`ZxPbzaY_Q|f#evkEZ+m`({u*g3Vc4k@KValuwpbZh6}1WU+8$#sD{`J&2* zZ;vlbZ`wY6XN45sHdi&qKprG2VfaxdO;nW9`_wWWC*KHKf@1VYMI`e@NvCA$HcbhG z;k@(hms*(c84lIh79gVl000311z0XMFgXAKvz!fK1F;Nh2ow-$mKLp`g#6R8_L^{tnIDdrHAfaJ5q3 zwCyqIl-_H7dq(?x(M1Mf!Vw{KbVY&? zoYnJfK}7MTa_w4=P+YH8S4IOW2V*6sQGZE>Y0hyyfrnP_1y*%3BqBM?cWY@1PH<2} z(r}qNPYiJ}z3RWFQ`o-MD3I_rosA-};l15@&$F(k80itUWe=S4s`Z%H-8r*6zX4wd zc_%7vb#YX*EWlZ5V!f}qphR8S`aGwWFDE6Stwwp*&EocaQp`9MRO7DtBOt(i(tqzL zW!fi8W9DvU1GnNUO`qK+szkl%76j!5{W7QO>aY9YhMz6Zf$${E8r0ll1~hia5;Ljg z7HXTi#X6ml@*>^D?O8iNLY0*IECb~J#clFCiTocG+tT*i8#Lq%D11z3Wy&ecp6$>x z?jK?A>A;&;EIAx`>EM0Y{AsH3Jbzj;Uq+LnGZ#rpWeR|HXHOnaEKQ0L&#FW}0bcAM z{G+fn0t`lZs2>ZFQAe7DiO|BdNT+fdD4$70za%g*?em^fegP0O+Z3vaFr>7U-iQi` zMm^<2uQI>t=nIH*xM{|AUgn4!6xtboP9;0<3}M~(+gsJ1nxctWv^qhxpnq6Qqxz={ zVU9XEQw2Phl~zU>g1ITak`k8eLfnp2wD#+=y@|;FY6qZre<7DTlLGCmQ##sG?X6ofU#2gN$;e6vLmJyV@l*t$( zWDjp_UiNyujh^KF-&M9doEZv;r;9Oxbb+t=6g?^qXFjc01+j6LFk3$UDz9x6`XP#! zYf=Se0hVksuaugFh!lJmHt;mQpxH?2 zni;*!V2o{;t+({nB4p<&jP$4XvDzvlVUhMck^479LTL2L^CfRcrlc6z0?9l`Q8@IQ z``-NmgRst5D*)|vM}NfxOKv_8h}xM8>;oO-XU zi-Ak=m17NjU#wW|>isalG#U)a{;PSk`1cHZWBSAn+zTx`jAo8C85d*ipWn5cPb$r= zvv?n}H9 zL7v-{kRs!9dYx`08z-c4emfu@R~kv!#(YxP$px#=z)DOdCX?z*$+v zMUJAJh*dxS4rCRnn~NKmP$63FNI{ow52Y