Skip to content

Commit

Permalink
Merge pull request quarkusio#30708 from cescoffier/avoid-using-hardco…
Browse files Browse the repository at this point in the history
…ded-password

Fix quarkusio#29573
  • Loading branch information
gastaldi authored Jan 31, 2023
2 parents 9ea761b + bca49a0 commit 750a259
Show file tree
Hide file tree
Showing 6 changed files with 37 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions
final Optional<Path> certFile = sslConfig.certificate;
final Optional<Path> keyFile = sslConfig.key;
final Optional<Path> keyStoreFile = sslConfig.keyStore;
final String keystorePassword = sslConfig.keyStorePassword;
final Optional<Path> trustStoreFile = sslConfig.trustStore;
final Optional<String> trustStorePassword = sslConfig.trustStorePassword;

Expand All @@ -77,15 +76,19 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions
switch (type) {
case "pkcs12": {
PfxOptions o = new PfxOptions()
.setPassword(keystorePassword)
.setValue(Buffer.buffer(data));
if (sslConfig.keyStorePassword.isPresent()) {
o.setPassword(sslConfig.keyStorePassword.get());
}
options.setPfxKeyCertOptions(o);
break;
}
case "jks": {
JksOptions o = new JksOptions()
.setPassword(keystorePassword)
.setValue(Buffer.buffer(data));
if (sslConfig.keyStorePassword.isPresent()) {
o.setPassword(sslConfig.keyStorePassword.get());
}
options.setKeyStoreOptions(o);
break;
}
Expand All @@ -97,7 +100,7 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions
}

if (trustStoreFile.isPresent()) {
if (!trustStorePassword.isPresent()) {
if (trustStorePassword.isEmpty()) {
throw new IllegalArgumentException("No trust store password provided");
}
String type;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@ public class SslServerConfig {
/**
* A parameter to specify the password of the key store file. If not given, the default ("password") is used.
*/
@ConfigItem(defaultValue = "password")
public String keyStorePassword;
@ConfigItem
public Optional<String> keyStorePassword;

/**
* An optional trust store which holds the certificate information of the certificates to trust
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,6 @@ quarkus.oidc.client-id=quarkus-app
quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.credentials.jwt.key-store-file=keystore.jks
quarkus.oidc-client.credentials.jwt.key-store-password=password
quarkus.oidc-client.credentials.jwt.key-id=keycloak
quarkus.oidc-client.credentials.jwt.key-password=password
Original file line number Diff line number Diff line change
Expand Up @@ -257,10 +257,10 @@ public static class Jwt {
public Optional<String> keyStoreFile = Optional.empty();

/**
* A parameter to specify the password of the key store file. If not given, the default ("password") is used.
* A parameter to specify the password of the key store file.
*/
@ConfigItem(defaultValue = "password")
public String keyStorePassword;
@ConfigItem
public Optional<String> keyStorePassword;

/**
* The private key id/alias
Expand All @@ -271,8 +271,8 @@ public static class Jwt {
/**
* The private key password
*/
@ConfigItem(defaultValue = "password")
public String keyPassword;
@ConfigItem
public Optional<String> keyPassword;

/**
* JWT audience ('aud') claim value.
Expand Down Expand Up @@ -456,8 +456,8 @@ public enum Verification {
/**
* A parameter to specify the password of the key store file. If not given, the default ("password") is used.
*/
@ConfigItem(defaultValue = "password")
public String keyStorePassword;
@ConfigItem
public Optional<String> keyStorePassword;

/**
* An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -147,12 +147,16 @@ public static void setHttpClientOptions(OidcCommonConfig oidcConfig, TlsConfig t
try {
byte[] keyStoreData = getFileContent(oidcConfig.tls.keyStoreFile.get());
io.vertx.core.net.KeyStoreOptions keyStoreOptions = new KeyStoreOptions()
.setPassword(oidcConfig.tls.keyStorePassword)
.setAlias(oidcConfig.tls.keyStoreKeyAlias.orElse(null))
.setAliasPassword(oidcConfig.tls.keyStoreKeyPassword.orElse(null))
.setValue(io.vertx.core.buffer.Buffer.buffer(keyStoreData))
.setType(getStoreType(oidcConfig.tls.keyStoreFileType, oidcConfig.tls.keyStoreFile.get()))
.setProvider(oidcConfig.tls.keyStoreProvider.orElse(null));

if (oidcConfig.tls.keyStorePassword.isPresent()) {
keyStoreOptions.setPassword(oidcConfig.tls.keyStorePassword.get());
}

options.setKeyCertOptions(keyStoreOptions);

} catch (IOException ex) {
Expand Down Expand Up @@ -310,8 +314,19 @@ public static Key clientJwtKey(Credentials creds) {
} else if (creds.jwt.keyStoreFile.isPresent()) {
KeyStore ks = KeyStore.getInstance("JKS");
InputStream is = ResourceUtils.getResourceStream(creds.jwt.keyStoreFile.get());
ks.load(is, creds.jwt.keyStorePassword.toCharArray());
key = ks.getKey(creds.jwt.keyId.get(), creds.jwt.keyPassword.toCharArray());

if (creds.jwt.keyStorePassword.isPresent()) {
ks.load(is, creds.jwt.keyStorePassword.get().toCharArray());
} else {
ks.load(is, null);
}

if (creds.jwt.keyPassword.isPresent()) {
key = ks.getKey(creds.jwt.keyId.get(), creds.jwt.keyPassword.get().toCharArray());
} else {
throw new ConfigurationException(
"When using a key store, the `quarkus.oidc-client.credentials.jwt.key-password` property must be set");
}
}
} catch (Exception ex) {
throw new ConfigurationException("Key can not be loaded", ex);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ public class CertificateConfig {

/**
* A parameter to specify the password of the key store file. If not given, and if it can not be retrieved from
* {@linkplain CredentialsProvider}, then the default ("password") is used.
* {@linkplain CredentialsProvider}.
*
* @see {@link #credentialsProvider}
*/
Expand Down

0 comments on commit 750a259

Please sign in to comment.