TechQA.

How to use the SSL autoconfiguration with a base64 encoded PKCS12?

709 views Asked by At

I have a Spring Boot 3.1 application with the following configuration:

spring:
  ssl:
    bundle:
      pem:
        my-client:
          keystore:
            certificate: "MIIKyAIBAzCCC..."
            private-key: "keystore-password"
            type: "PKCS12"

Note: The value of certificate is actually a keystore containing a root, an intermediate and a leaf certificate.

Running the applications results in the following exception:

Application run failed java.io.FileNotFoundException: /home/vcap/app/MIIKyAIBAzCCC...

Nowhere in the documentation is specified that it has to be a file resource.

Documentation link: https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl

So my question is: how do I make the spring autoconfiguration work with an Base64 encoded keystore (in string format)?

In case you're looking for the autoconfiguration class, it's: org.springframework.boot.autoconfigure.ssl.SslProperties

spring spring-boot ssl spring-autoconfiguration
Original Q&A
2

There are 2 answers

0
Julien Antony On

According to the javadoc, the property could be the "content" or the "location" in PEM format.

/**
 * Location or content of the certificate in PEM format.
 */
String certificate;

There is nothing about the encoding of the content certificate in base64 and PKCS12 is not a PEM

Checking at the code that loads the keystore, you can see that the distinction between "content" or "location" is based on the first characters matching the usual header of PEM files

private static boolean isPemContent(String content) {
    return content != null && PEM_HEADER.matcher(content).find() && PEM_FOOTER.matcher(content).find();
}

Note: You can see that the location expect and URI. If Java would support natively the data scheme in url (Does it?), this should became possible

spring:
  ssl:
    bundle:
      pem:
        my-client:
          keystore:
            certificate: "data:application/x-pkcs12,MIIKyAIBAzCCC..."

To your answer: You cannot use autoconfigure with a PKCS12 encoded in base64 without some extra steps.

1
rwinner On

I filed a PR to support having a base64 encoded PKCS#12 keystore here: https://github.com/spring-projects/spring-boot/pull/35890

Spring authors then thought this would be a good idea to implement it for a broader scope and closed the PR without merging it. Instead, they created an issue out of it, see issue here: https://github.com/spring-projects/spring-boot/issues/36033

We should be able to use this from Spring Boot 3.2.x

Related Questions in SPRING

Related Questions in SPRING-BOOT

Related Questions in SSL

Related Questions in SPRING-AUTOCONFIGURATION

Popular Questions

Trending Questions