From bca49a0d8aed4e238803a4db6e1c1faf13b8b301 Mon Sep 17 00:00:00 2001 From: Clement Escoffier Date: Mon, 30 Jan 2023 14:44:25 +0100 Subject: [PATCH] Avoids using "password" as default password when loading / reading key stores. Fix https://github.com/quarkusio/quarkus/issues/29573. This should be considered as a breaking change for users using "password" as password. --- .../io/quarkus/grpc/runtime/GrpcSslUtils.java | 11 ++++++---- .../grpc/runtime/config/SslServerConfig.java | 4 ++-- ...edentials-jwt-private-key-store.properties | 2 ++ .../oidc/common/runtime/OidcCommonConfig.java | 14 ++++++------- .../oidc/common/runtime/OidcCommonUtils.java | 21 ++++++++++++++++--- .../vertx/http/runtime/CertificateConfig.java | 2 +- 6 files changed, 37 insertions(+), 17 deletions(-) diff --git a/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/GrpcSslUtils.java b/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/GrpcSslUtils.java index 80d8100f94170..5c418de5588ad 100644 --- a/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/GrpcSslUtils.java +++ b/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/GrpcSslUtils.java @@ -52,7 +52,6 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions final Optional certFile = sslConfig.certificate; final Optional keyFile = sslConfig.key; final Optional keyStoreFile = sslConfig.keyStore; - final String keystorePassword = sslConfig.keyStorePassword; final Optional trustStoreFile = sslConfig.trustStore; final Optional trustStorePassword = sslConfig.trustStorePassword; @@ -77,15 +76,19 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions switch (type) { case "pkcs12": { PfxOptions o = new PfxOptions() - .setPassword(keystorePassword) .setValue(Buffer.buffer(data)); + if (sslConfig.keyStorePassword.isPresent()) { + o.setPassword(sslConfig.keyStorePassword.get()); + } options.setPfxKeyCertOptions(o); break; } case "jks": { JksOptions o = new JksOptions() - .setPassword(keystorePassword) .setValue(Buffer.buffer(data)); + if (sslConfig.keyStorePassword.isPresent()) { + o.setPassword(sslConfig.keyStorePassword.get()); + } options.setKeyStoreOptions(o); break; } @@ -97,7 +100,7 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions } if (trustStoreFile.isPresent()) { - if (!trustStorePassword.isPresent()) { + if (trustStorePassword.isEmpty()) { throw new IllegalArgumentException("No trust store password provided"); } String type; diff --git a/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/config/SslServerConfig.java b/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/config/SslServerConfig.java index 77f47bfd2a09a..c557ecbd43c05 100644 --- a/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/config/SslServerConfig.java +++ b/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/config/SslServerConfig.java @@ -44,8 +44,8 @@ public class SslServerConfig { /** * A parameter to specify the password of the key store file. If not given, the default ("password") is used. */ - @ConfigItem(defaultValue = "password") - public String keyStorePassword; + @ConfigItem + public Optional keyStorePassword; /** * An optional trust store which holds the certificate information of the certificates to trust diff --git a/extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials-jwt-private-key-store.properties b/extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials-jwt-private-key-store.properties index 3a1248af6b726..f4006a52316b2 100644 --- a/extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials-jwt-private-key-store.properties +++ b/extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials-jwt-private-key-store.properties @@ -4,4 +4,6 @@ quarkus.oidc.client-id=quarkus-app quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url} quarkus.oidc-client.client-id=${quarkus.oidc.client-id} quarkus.oidc-client.credentials.jwt.key-store-file=keystore.jks +quarkus.oidc-client.credentials.jwt.key-store-password=password quarkus.oidc-client.credentials.jwt.key-id=keycloak +quarkus.oidc-client.credentials.jwt.key-password=password diff --git a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java index 433dbe70c1b88..d60c4f8f95579 100644 --- a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java +++ b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java @@ -257,10 +257,10 @@ public static class Jwt { public Optional keyStoreFile = Optional.empty(); /** - * A parameter to specify the password of the key store file. If not given, the default ("password") is used. + * A parameter to specify the password of the key store file. */ - @ConfigItem(defaultValue = "password") - public String keyStorePassword; + @ConfigItem + public Optional keyStorePassword; /** * The private key id/alias @@ -271,8 +271,8 @@ public static class Jwt { /** * The private key password */ - @ConfigItem(defaultValue = "password") - public String keyPassword; + @ConfigItem + public Optional keyPassword; /** * JWT audience ('aud') claim value. @@ -456,8 +456,8 @@ public enum Verification { /** * A parameter to specify the password of the key store file. If not given, the default ("password") is used. */ - @ConfigItem(defaultValue = "password") - public String keyStorePassword; + @ConfigItem + public Optional keyStorePassword; /** * An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains diff --git a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java index 6afd8a4664209..8c66e1a5a3d8a 100644 --- a/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java +++ b/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java @@ -147,12 +147,16 @@ public static void setHttpClientOptions(OidcCommonConfig oidcConfig, TlsConfig t try { byte[] keyStoreData = getFileContent(oidcConfig.tls.keyStoreFile.get()); io.vertx.core.net.KeyStoreOptions keyStoreOptions = new KeyStoreOptions() - .setPassword(oidcConfig.tls.keyStorePassword) .setAlias(oidcConfig.tls.keyStoreKeyAlias.orElse(null)) .setAliasPassword(oidcConfig.tls.keyStoreKeyPassword.orElse(null)) .setValue(io.vertx.core.buffer.Buffer.buffer(keyStoreData)) .setType(getStoreType(oidcConfig.tls.keyStoreFileType, oidcConfig.tls.keyStoreFile.get())) .setProvider(oidcConfig.tls.keyStoreProvider.orElse(null)); + + if (oidcConfig.tls.keyStorePassword.isPresent()) { + keyStoreOptions.setPassword(oidcConfig.tls.keyStorePassword.get()); + } + options.setKeyCertOptions(keyStoreOptions); } catch (IOException ex) { @@ -310,8 +314,19 @@ public static Key clientJwtKey(Credentials creds) { } else if (creds.jwt.keyStoreFile.isPresent()) { KeyStore ks = KeyStore.getInstance("JKS"); InputStream is = ResourceUtils.getResourceStream(creds.jwt.keyStoreFile.get()); - ks.load(is, creds.jwt.keyStorePassword.toCharArray()); - key = ks.getKey(creds.jwt.keyId.get(), creds.jwt.keyPassword.toCharArray()); + + if (creds.jwt.keyStorePassword.isPresent()) { + ks.load(is, creds.jwt.keyStorePassword.get().toCharArray()); + } else { + ks.load(is, null); + } + + if (creds.jwt.keyPassword.isPresent()) { + key = ks.getKey(creds.jwt.keyId.get(), creds.jwt.keyPassword.get().toCharArray()); + } else { + throw new ConfigurationException( + "When using a key store, the `quarkus.oidc-client.credentials.jwt.key-password` property must be set"); + } } } catch (Exception ex) { throw new ConfigurationException("Key can not be loaded", ex); diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java index fa4ffb8ad5517..ede0b22e7e484 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java @@ -96,7 +96,7 @@ public class CertificateConfig { /** * A parameter to specify the password of the key store file. If not given, and if it can not be retrieved from - * {@linkplain CredentialsProvider}, then the default ("password") is used. + * {@linkplain CredentialsProvider}. * * @see {@link #credentialsProvider} */